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Summary 

Cybersecurity  vulnerabilities  challenge  governments,  businesses,  and  individuals  worldwide. 
Attacks  have  been  initiated  by  individuals,  as  well  as  countries.  Targets  have  included 
government  networks,  military  defenses,  companies,  or  political  organizations,  depending  upon 
whether  the  attacker  was  seeking  military  intelligence,  conducting  diplomatic  or  industrial 
espionage,  or  intimidating  political  activists.  In  addition,  national  borders  mean  little  or  nothing  to 
cyberattackers,  and  attributing  an  attack  to  a  specific  location  can  be  difficult,  which  also  makes  a 
response  problematic. 

Congress  has  been  actively  involved  in  cybersecurity  issues,  holding  hearings  every  year  since 
2001.  There  is  no  shortage  of  data  on  this  topic:  government  agencies,  academic  institutions, 
think  tanks,  security  consultants,  and  trade  associations  have  issued  hundreds  of  reports,  studies, 
analyses,  and  statistics. 

This  report  provides  links  to  selected  authoritative  resources  related  to  cybersecurity  issues.  This 
report  includes  information  on 

•  “Legislation” 

•  “Executive  Orders  and  Presidential  Directives” 

•  “Data  and  Statistics” 

•  “Cybersecurity  Glossaries” 

•  “Reports  by  Topic” 

•  Government  Accountability  Office  (GAO)  reports 

•  White  House/Office  of  Management  and  Budget  reports 

•  Military/DOD 

•  Cloud  Computing 

•  Critical  Infrastructure 

•  National  Strategy  for  Trusted  Identities  in  Cyberspace  (NST1C) 

•  Cybercrime/Cyberwar 

•  International 

•  Education/Training/Workforce 

•  Research  and  Development  (R&D) 

•  “Related  Resources:  Other  Websites” 

The  report  will  be  updated  as  needed. 
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Introduction 

Cybersecurity  is  a  sprawling  topic  that  includes  national,  international,  government,  and  private 
industry  dimensions.  In  the  1 13th  Congress,  one  bill  has  been  introduced  in  the  Senate  and  two  in 
the  House.  More  than  40  bills  and  resolutions  with  provisions  related  to  cybersecurity  were 
introduced  in  the  first  session  of  the  1 12th  Congress,  including  several  proposing  revisions  to 
current  laws.  In  the  1 1 1th  Congress,  the  total  was  more  than  60.  Several  of  those  bills  received 
committee  or  floor  action,  but  none  have  become  law.  In  fact,  no  comprehensive  cybersecurity 
legislation  has  been  enacted  since  2002. 

This  report  provides  links  to  cybersecurity  hearings  and  legislation  under  consideration  in  the 
1 13th  and  1 12th  Congresses,  as  well  as  executive  orders  and  presidential  directives,  data  and 
statistics,  glossaries,  and  authoritative  reports. 

For  CRS  analysis,  please  see  the  collection  of  CRS  reports  found  on  the  Issues  in  Focus: 
Cybersecurity  site. 


Legislation 

No  major  legislative  provisions  relating  to  cybersecurity  have  been  enacted  since  2002,  despite 
many  recommendations  made  over  the  past  decade.  The  Obama  Administration  sent  Congress  a 
package  of  legislative  proposals  in  May  201 11  to  give  the  federal  government  new  authority  to 
ensure  that  corporations  that  own  the  assets  most  critical  to  the  nation’s  security  and  economic 
prosperity  are  adequately  addressing  the  risks  posed  by  cybersecurity  threats. 

Cybersecurity  legislation  advanced  in  both  chambers  in  the  1 12th  Congress.  The  House  passed  a 
series  of  bills  that  address  a  variety  of  issues — from  toughening  law  enforcement  of  cybercrimes 
to  giving  the  Department  of  Homeland  Security  oversight  of  federal  information  technology  and 
critical  infrastructure  security  to  lessening  liability  for  private  companies  that  adopt  cybersecurity 
best  practices.  The  Senate  pursued  a  comprehensive  cybersecurity  bill  with  several  committees 
working  to  create  a  single  vehicle  for  passage,  backed  by  the  White  House — to  no  avail.  The 
Senate  bill  also  got  mired  in  a  procedural  dispute  over  amendments. 

Table  1  and  Table  2  provide  lists  of  Senate  and  House  legislation  under  consideration  in  the  1 13th 
Congress,  in  order  by  date  introduced.  When  viewed  in  HTML,  the  bill  numbers  are  active  links 
to  the  Bill  Summary  and  Status  page  in  the  Legislative  Information  Service  (LIS). 


1  White  House,  International  Strategy  for  Cyberspace:  Prosperity,  Security,  and  Openness  in  a  Networked  World,  May 
20 1 1 ,  at  http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf. 
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Table  I.  Major  Legislation:  Senate  (I  13th  Congress) 


Bill  No. 

Title 

Committee(s) 

Date  Introduced 

S.  658 

Cyber  Warrior  Act  of  20 1  3 

Armed  Services 

March  22,  2013 

S.  21 

Cybersecurity  and  American 
Cyber  Competitiveness  Act 
of  2013 

Homeland  Security  and 
Government  Affairs 

January  22,  20 1 3 

Source:  Legislative  Information  System  (LIS). 

Table  2.  Major  Legislation:  House  (1  1 3th  Congress) 

Bill  No. 

Title 

Committee(s) 

Date  Introduced 

H.R.  1163 

Federal  Information  Security 
Amendments  Act  of  20 1 3 

Oversight  and  Government 
Reform 

March  14,  2013 

H.R.  1  121 

Cyber  Privacy  Fortification 

Act  of  2013 

Judiciary 

March  13,  2013 

H.R.  967 

Advancing  America's 
Networking  and  Information 
Technology  Research  and 
Development  Act  of  20 1 3 

Science,  Space,  and 

Technology 

March  14,  2013 

H.R.  756 

Cybersecurity  R&D 

Science,  Space,  and 

Technology 

February  15,  2013 

H.R.  624 

Cyber  Intelligence  Sharing  and 
Protection  Act  (CISPA) 

Permanent  Select  Committee 
on  Intelligence 

February  13,  2013 

H.R.  86 

Cybersecurity  Education 
Enhancement  Act  of  20 1 3 

Education  and  the  Workforce; 
Homeland  Security;  Science, 
Space  and  Technology 

January  3,  201 3 

Source:  LIS. 


Table  3  and  Table  5  list  major  Senate  and  House  legislation  considered  by  the  1 12th  Congress,  in 
order  by  date  introduced.  When  viewed  in  HTML,  the  bill  numbers  are  active  links  to  the  Bill 
Summary  and  Status  page  in  the  Legislative  Information  Service  (LIS).  The  tables  include  bills 
with  committee  action,  floor  action,  or  significant  legislative  interest.  Table  4  provides 
Congressional  Record  links  to  Senate  floor  debate  of  S.  3414,  the  Cybersecurity  Act  of  2012. 


Table  3.  Major  Legislation:  Senate  (I  1 2th  Congress) 


Bill  No. 

Title 

Committee(s) 

Date  Introduced 

S.4I3 

Cybersecurity  and  Internet  Freedom  Act 
of  2011 

Homeland  Security  and 
Governmental  Affairs 

February  1 7,  20 1  1 

S.  1151 

Personal  Data  Privacy  and  Security  Act 
of  2011 

Judiciary 

June  7,2011 

S.  1342 

Grid  Cyber  Security  Act 

Energy  and  Natural  Resources 

July  1  1,  201  1 

S.  1535 

Personal  Data  Protection  and  Breach 
Accountability  Act  of  20 1  1 

Judiciary 

September  22,  20 1  1 

S.  2102 

Cybersecurity  Information  Sharing  Act 
of  2012 

Homeland  Security  and 
Governmental  Affairs 

February  1 3,  20 1 2 

Congressional  Research  Service 


2 


Cybersecurity:  Authoritative  Reports  and  Resources 


Bill  No. 

Title 

Committee(s) 

Date  Introduced 

S.  2105 

Cybersecurity  Act  of  20 1 2 

Homeland  Security  and 
Governmental  Affairs 

February  14,  2012 

S.  2151 

SECURE  IT  Act 

Commerce,  Science,  and 

T  ransportation 

March  1,  2012 

S.  3333 

Data  Security  and  Breach  Notification 
Act  of  2012 

Commerce,  Science,  and 

T  ransportation 

June  21. 2012 

S.  3342 

SECURE  IT 

N/A  (Placed  on  Senate  Legislative 
Calendar  under  General  Orders. 
Calendar  No.  438) 

June  28,  2012 

S.  3414 

Cybersecurity  Act  of  20 1 2 

N/A  (Placed  on  Senate  Legislative 
Calendar  under  Read  the  First 

Time) 

July  19,  2012 

Source:  LIS. 


Table  4.  Senate  Floor  Debate:  S.  34 1 4  (I  1 2th  Congress) 


Title 

Date 

Congressional  Record  Pages 

Cybersecurity  Act  of  20 1 2:  Motion  to 
Proceed 

July  26,  2012 

S54I9-S5449 

http://www.gpo.gov/fdsys/pkg/CREC-20 1 2-07-26/ 
pdf/CREC-20 1 2-07-26-pt  1  -PgS54 1 9-6.pdf#page=  1 

Cybersecurity  Act  of  20 1 2:  Motion  to 
Proceed  -  Continued  and  Cloture  Vote 

July  26,  2012 

S5450-S5467 

http://www.gpo.gov/fdsys/pkg/CREC-20 1 2-07-26/ 
pdf/CREC-20 1 2-07-26-pt  1  -PgS5450-2.pdf#page=  1 

Cybersecurity  Act  of  20 1 2 

July  31,  2012 

S5694-S5705 

http://www.gpo.gov/fdsys/pkg/CREC-20 1 2-07-3 1  / 
pdf/CREC-20 1 2-07-3 1  -pt  1  -PgS5694.pdf#page=  1 

Cybersecurity  Act  of  20 1 2:  Continued 

July  31, 2012 

S5705-S5724 

http://www.gpo.gov/fdsys/pkg/CREC-20 1 2-07-3 1  / 
pdf/CREC-20 1 2-07-3  1  -pt  1  -PgS5705-2.pdf#page=  1 

Cybersecurity  Act  of  20 1 2:  Debate  and 
Cloture  Vote 

August  2,  20 1 2 

S5907-S59I9 

http://www.gpo.gov/fdsys/pkg/CREC-20 1 2-08-02/ 
pdf/CREC-20 1 2-08-02-pt  1  -PgS5904-2.pdf#page=4 

Cybersecurity  Act  of  20 1 2:  Motion  to 

November  14, 

S6774-S6784 

Proceed 

2012 

http://www.gpo.gov/fdsys/pkg/CREC-20 12-1  1-14/ 
pdf/CREC-20 1 2- 1  1  - 1 4-pt  1  -PgS6774.pdf#page=  1 

Source:  Congressional  Record  (GPO). 


Table  5.  Major  Legislation:  House  (I  I  2th  Congress) 


Bill  No. 

Title 

Committee(s) 

Date  Introduced 

H.R.  76 

Cybersecurity  Education  Enhancement 
Act  of  201  1 

Homeland  Security;  House 

Oversight  and  Government  Reform 

January  5,  20 1  1 

H.R.  174 

Homeland  Security  Cyber  and  Physical 
Infrastructure  Protection  Act  of  201  1 

Technology;  Education  and  the 
Workforce;  Homeland  Security 

January  5,  20 1  1 
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Bill  No. 

Title 

Committee(s) 

Date  Introduced 

H.R.  2096 

Cybersecurity  Enhancement  Act  of  201  1 

Science,  Space,  and  Technology 

June  2,2011 

H.R.  3523 

Cyber  Intelligence  Sharing  and 

Protection  Act 

Committee  on  Intelligence 
(Permanent  Select) 

November  30,  20 1  1 

H.R.  3674 

PRECISE  Act  of  20 1  1 

Homeland  Security;  Oversight  and 
Government  Reform;  Science, 

Space,  and  Technology;  Judiciary; 
Intelligence  (Permanent  Select) 

December  1 5,  20 1  1 

H.R.  4263 

SECURE  IT  Act  of  2012  Strengthening 
and  Enhancing  Cybersecurity  by  Using 
Research,  Education,  Information,  and 
Technology 

Oversight  and  Government 

Reform,  the  Judiciary,  Armed 
Services,  and  Intelligence 
(Permanent  Select) 

March  27,  2012 

H.R.  3834 

Advancing  America’s  Networking  and 
Information  Technology  Research  and 
Development  Act  of  20 1 2 

Science,  Space,  and  Technology 

January  27,  20 1 2 

H.R.  4257 

Federal  Information  Security 
Amendments  Act  of  20 1 2 

Oversight  and  Government  Reform 

April  18,  2012 

Source:  LIS. 


Hearings  in  the  113th  Congress 

The  following  tables  list  cybersecurity  hearings  in  the  113th  Congress.  Table  6  and  Table  7 
contain  identical  content  but  are  organized  differently.  Table  6  lists  House  hearings  arranged  by 
date  (most  recent  first),  and  Table  7  lists  House  hearings  arranged  by  committee. 
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Table  6.  House  Hearings  (I  I  3th  Congress),  by  Date 


Title 

Date 

Committee 

Subcommittee 

Cyber  Attacks:  An  Unprecedented 

Threat  to  U.S.  National  Security 

March  21,  2013 

Foreign  Affairs 

Europe,  Eurasia,  and  Emerging  Threats 

Protecting  Small  Business  from  Cyber- 
Attacks 

March  21,  2013 

Small  Business 

Healthcare  and  Technology 

Cybersecurity  and  Critical  Infrastructure 
[CLOSED  hearing] 

March  20,  2013 

Appropriations 

Cyber  Threats  from  China,  Russia  and 

Iran:  Protecting  American  Critical 
Infrastructure 

March  20,  2013 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

DHS  Cybersecurity:  Roles  and 
Responsibilities  to  Protect  the  Nation’s 
Critical  Infrastructure 

March  13,  2013 

Homeland  Security 

Investigating  and  Prosecuting  2 1 st 

Century  Cyber  Threats 

March  13,  2013 

Judiciary 

Crime,  Terrorism,  Homeland  Security 
and  Investigations 

Information  Technology  and  Cyber 
Operations:  Modernization  and  Policy 
Issues  to  Support  the  Future  Force 

March  13,  2013 

Armed  Services 

Intelligence,  Emerging  Threats  and 
Capabilities 

Cyber  R&D  [Research  and 

Development]  Challenges  and  Solutions 

February  26,  20 1 3 

Science,  Space,  and  Technology 

Technology 

Advanced  Cyber  Threats  Facing  Our 
Nation 

February  14,  201  3 

Select  Committee  on  Intelligence 

Source:  Compiled  by  the  Congressional  Research  Service  (CRS). 
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Table  7.  House  Hearings  (I  1 3th  Congress),  by  Committee 


Committee 

Subcommittee 

Title 

Date 

Appropriations 

Cybersecurity  and  Critical  Infrastructure 
[CLOSED  hearing] 

March  20,  2013 

Armed  Services 

Intelligence,  Emerging  Threats  and 
Capabilities 

Information  Technology  and  Cyber 
Operations:  Modernization  and  Policy 
Issues  to  Support  the  Future  Force 

March  13,  2013 

Foreign  Affairs 

Europe,  Eurasia,  and  Emerging  Threats 

Cyber  Attacks:  An  Unprecedented 

Threat  to  U.S.  National  Security 

March  21,  2013 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Cyber  Threats  from  China,  Russia  and 

Iran:  Protecting  American  Critical 
Infrastructure 

March  20,  2013 

Homeland  Security 

DHS  Cybersecurity:  Roles  and 
Responsibilities  to  Protect  the  Nation’s 
Critical  Infrastructure 

March  13,  2013 

Judiciary 

Crime,  Terrorism,  Homeland  Security 
and  Investigations 

Investigating  and  Prosecuting  21st 

Century  Cyber  Threats 

March  13,  2013 

Science,  Space,  and  Technology 

Technology 

Cyber  R&D  [Research  and 

Development]  Challenges  and  Solutions 

February  26,  20 1 3 

Select  Committee  on  Intelligence 

Advanced  Cyber  Threats  Facing  Our 
Nation 

February  14,  2013 

Small  Business 

Healthcare  and  Technology 

Protecting  Small  Business  from  Cyber- 
Attacks 

March  21,  2013 

Source:  Compiled  by  CRS. 
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Table  8.  Senate  Hearings  (I  1 3th  Congress),  by  Date 


Title 

Date 

Committee 

Subcommittee 

Defense  Authorization:  Cybersecurity 
Threats:  To  receive  a  briefing  on 
cybersecurity  threats  in  review  of  the 
Defense  Authorization  Request  for  Fiscal 
Year  2014  and  the  Future  Years  Defense 
Program. 

March  19,  2013 

Armed  Services 

Emerging  Threats  and  Capabilities 

Fiscal  2014  Defense  Authorization, 
Strategic  Command:  U.S.  Cyber 

Command 

March  12,  2013 

Armed  Services 

The  Cybersecurity  Partnership  Between 
the  Private  Sector  and  Our  Government: 
Protecting  Our  National  and  Economic 
Security 

March  7,  2013 

(Joint)  Homeland  Security  and 
Governmental  Affairs  and  Commerce, 
Science  and  Transportation 

Source:  Compiled  by  CRS. 

Table  9.  Senate  Hearings  (1  1  3th  Congress),  by  Committee 

Committee 

Subcommittee 

Title 

Date 

Armed  Services 

Emerging  Threats  and  Capabilities 

Defense  Authorization:  Cybersecurity 
Threats 

March  19,  2013 

Armed  Services 

Fiscal  2014  Defense  Authorization, 
Strategic  Command:  U.S.  Cyber 

Command 

March  12,  2013 

(joint)  Homeland  Security  and 
Governmental  Affairs  and  Commerce, 
Science  and  Transportation 

The  Cybersecurity  Partnership  Between 
the  Private  Sector  and  Our  Government: 
Protecting  Our  National  and  Economic 
Security 

March  7,  2013 

Source:  Compiled  by  CRS. 
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Hearings  in  the  112th  Congress 

The  following  tables  list  cybersecurity  hearings  in  the  112th  Congress.  Table  10  and  Table  11 
contain  identical  content  but  are  organized  differently.  Table  10  lists  House  hearings  arranged  by 
date  (most  recent  first)  and  Table  11  lists  House  hearings  arranged  by  committee.  Table  12  lists 
House  markups  by  date;  Table  13  and  Table  14  contain  identical  content.  Table  13  lists  Senate 
hearings  arranged  by  date  and  Table  14  lists  Senate  hearings  arranged  by  committee.  When 
viewed  in  HTML,  the  document  titles  are  active  links. 
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Table  10.  House  Hearings  (I  12th  Congress),  by  Date 


Title 

Date 

Committee 

Subcommittee 

Investigation  of  the  Security  Threat  Posed  by  Chinese 
Telecommunications  Companies  Huawei  and  ZTE 

September  13,  2012 

Permanent  Select  Committee  on 
Intelligence 

Resilient  Communications:  Current  Challenges  and 
Future  Advancements 

September  12,  2012 

Homeland  Security 

Emergency  Preparedness,  Response  and 
Communications 

Cloud  Computing:  An  Overview  of  the  Technology  and 
the  Issues  facing  American  Innovators 

July  25,  2012 

Judiciary 

Intellectual  Property,  Competition,  and  the 

1  nternet 

Digital  Warriors:  Improving  Military  Capabilities  for 
Cyber  Operations 

July  25,  2012 

Armed  Services 

Emerging  Threats  and  Capabilities 

Cyber  Threats  to  Capital  Markets  and  Corporate 
Accounts 

June  1,2012 

Financial  Services 

Capital  Markets  and  Government 

Sponsored  Enterprises 

Iranian  Cyber  Threat  to  U.S.  Homeland 

April  26,  2012 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies  and 
Counterterrorism  and  Intelligence 

America  is  Under  Cyber  Attack:  Why  Urgent  Action  is 
Needed 

April  24,  2012 

Homeland  Security 

Oversight,  Investigations  and  Management 

The  DHS  and  DOE  National  Labs:  Finding  Efficiencies 
and  Optimizing  Outputs  in  Homeland  Security 

Research  and  Development 

April  19,  2012 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Cybersecurity:  Threats  to  Communications  Networks 
and  Public-Sector  Responses 

March  28,  2012 

Energy  and  Commerce 

Communications  and  Technology 

IT  Supply  Chain  Security:  Review  of  Government  and 
Industry  Efforts 

March  27,  2012 

Energy  and  Commerce 

Oversight  and  Investigations 

Fiscal  2013  Defense  Authorization:  IT  and  Cyber 
Operations 

March  20,  2012 

Armed  Services 

Emerging  Threats  and  Capabilities 

Cybersecurity:  The  Pivotal  Role  of  Communications 
Networks 

March  7,  2012 

Energy  and  Commerce 

Communications  and  Technology 

NASA  Cybersecurity:  An  Examination  of  the  Agency’s 
Information  Security 

February  29,  20 1 2 

Science,  Space,  and  Technology 

Investigations  and  Oversight 

Critical  Infrastructure  Cybersecurity:  Assessments  of 
Smart  Grid  Security 

February  28,  20 1 2 

Energy  and  Commerce 

Oversight  and  Investigations 
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Title 

Date 

Committee 

Subcommittee 

Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity 

December  6,  20 1  1 

Homeland  Security  and 

Governmental  Affairs 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Cyber  Security:  Protecting  Your  Small  Business 

December  1 ,  20 1  1 

Small  Business 

Healthcare  and  Technology 

Cyber  Security:  Protecting  Your  Small  Business 

November  30,  201  1 

Small  Business 

Healthcare  and  Technology 

Combating  Online  Piracy  (H.R.  3261,  Stop  the  Online 
Piracy  Act) 

November  1 6,  20 1  1 

Judiciary 

Cybersecurity:  Protecting  America’s  New  Frontier 

November  15,  201  1 

Judiciary 

Crime,  Terrorism  and  Homeland  Security 

Institutionalizing  Irregular  Warfare  Capabilities 

November  3,  20 1  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

Cloud  Computing:  What  are  the  Security  Implications? 

October6,  20 1  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Cyber  Threats  and  Ongoing  Efforts  to  Protect  the 

Nation 

October  4,  20 1  1 

Permanent  Select  Intelligence 

The  Cloud  Computing  Outlook 

September  21,  201  1 

Science,  Space,  and  Technology 

Technology  and  Innovation 

Combating  Cybercriminals 

September  14,  201  1 

Financial  Services 

Financial  Institutions  and  Consumer  Credit 

Cybersecurity:  An  Overview  of  Risks  to  Critical 
Infrastructure 

July  26,  201  1 

Energy  and  Commerce 

Oversight  and  Investigations 

Cybersecurity:  Assessing  the  Nation’s  Ability  to 

Address  the  Growing  Cyber  Threat 

July  7,  201  1 

Oversight  and  Government  Reform 

Field  Hearing:  Hacked  Off:  Helping  Law  Enforcement 
Protect  Private  Financial  Information 

June  29,  2011 

Financial  Services  (field  hearing  in 
Hoover,  AL) 

Examining  the  Homeland  Security  Impact  of  the  Obama 
Administration’s  Cybersecurity  Proposal 

June  24,  2011 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Sony  and  Epsilon:  Lessons  for  Data  Security  Legislation 

June  2,2011 

Energy  and  Commerce 

Commerce,  Manufacturing,  and  Trade 

Protecting  the  Electric  Grid:  the  Grid  Reliability  and 
Infrastructure  Defense  Act 

May  31,  2011 

Energy  and  Commerce 

Unlocking  the  SAFETY  Act’s  [Support  Anti-terrorism 
by  Fostering  Effective  Technologies  -  P.L.  107-296] 
Potential  to  Promote  Technology  and  Combat 

Terrorism 

May  26,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection, 
and  Security  Technologies 

Protecting  Information  in  the  Digital  Age:  Federal 
Cybersecurity  Research  and  Development  Efforts 

May  25,  201  1 

Science,  Space  and  Technology 

Research  and  Science  Education 

CRS-10 


Title 

Date 

Committee 

Subcommittee 

Cybersecurity:  Innovative  Solutions  to  Challenging 
Problems 

May  25,  201  1 

Judiciary 

Intellectual  Property,  Competition  and  the 
Internet 

Cybersecurity:  Assessing  the  Immediate  Threat  to  the 
United  States 

May  25,  201  1 

Oversight  and  Government  Reform 

National  Security,  Homeland  Defense  and 
Foreign  Operations 

DHS  Cybersecurity  Mission:  Promoting  Innovation  and 
Securing  Critical  Infrastructure 

April  15,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

Communist  Chinese  Cyber-Attacks,  Cyber-Espionage 
and  Theft  of  American  Technology 

April  15,  201  1 

Foreign  Affairs 

Oversight  and  Investigations 

Budget  Hearing  -  National  Protection  and  Programs 
Directorate,  Cybersecurity  and  Infrastructure 

Protection  Programs 

March  31,  201  1 

Appropriations  (closed/classified) 

Energy  and  Power 

Examining  the  Cyber  Threat  to  Critical  Infrastructure 
and  the  American  Economy 

March  16,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

2012  Budget  Request  from  U.S.  Cyber  Command 

March  16,  201  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

What  Should  the  Department  of  Defense’s  Role  in 

Cyber  Be? 

February  1  1,  201  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

Preventing  Chemical  Terrorism:  Building  a  Foundation 
of  Security  at  Our  Nation’s  Chemical  Facilities 

February  1  1 ,  20 1  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection 
and  Security  Technologies 

World  Wide  Threats 

February  1 0,  20 1  1 

Permanent  Select  Intelligence 

Source:  Compiled  by  CRS. 


Table  I  I .  House  Hearings  (I  1 2th  Congress),  by  Committee 


Committee 

Subcommittee 

Title 

Date 

Appropriations 

(closed/classified) 

Budget  Hearing  -  National  Protection  and  Programs  Directorate, 
Cybersecurity  and  Infrastructure  Protection  Programs 

March  31,  201  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

Digital  Warriors:  Improving  Military  Capabilities  for  Cyber  Operations 

July  25,  2012 

Armed  Services 

Emerging  Threats  and  Capabilities 

Fiscal  2013  Defense  Authorization:  IT  and  Cyber  Operations 

March  20,  2012 

Armed  Services 

Emerging  Threats  and  Capabilities 

Institutionalizing  Irregular  Warfare  Capabilities 

November  3,  20 1  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

2012  Budget  Request  for  U.S.  Cyber  Command 

March  16,  201  1 

Armed  Services 

Emerging  Threats  and  Capabilities 

What  Should  the  Department  of  Defense’s  Role  in  Cyber  Be? 

February  1  1,  201  1 

CRS-11 


Committee 

Subcommittee 

Energy  and  Commerce 

Communications  and  Technology 

Energy  and  Commerce 

Oversight  and  Investigations 

Energy  and  Commerce 

Communications  and  Technology 

Energy  and  Commerce 

Oversight  and  Investigations 

Energy  and  Commerce 

Oversight  and  Investigations 

Energy  and  Commerce 

Commerce,  Manufacturing,  and  Trade 

Energy  and  Commerce 

Energy  and  Power 

Financial  Services 

Capital  Markets  and  Government  Sponsored 
Enterprises 

Financial  Services 

Financial  Institutions  and  Consumer  Credit 

Financial  Services 

Field  hearing  in  Hoover,  AL 

Foreign  Affairs 

Oversight  and  Investigations 

Homeland  Security 

Emergency  Preparedness,  Response  and 
Communications 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies  and  Counterterrorism 
and  Intelligence 

Homeland  Security 

Oversight,  Investigations  and  Management 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 
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Title 


Date 


Cybersecurity:  Threats  to  Communications  Networks  and  Public-Sector  March  28,  2012 
Responses 

IT  Supply  Chain  Security:  Review  of  Government  and  Industry  Efforts  March  27,  2012 

Cybersecurity:  The  Pivotal  Role  of  Communications  Networks  March  7,  2012 

Critical  Infrastructure  Cybersecurity:  Assessments  of  Smart  Grid  Security  February  28,  2012 

Cybersecurity:  An  Overview  of  Risks  to  Critical  Infrastructure  July  26,  201  I 

Sony  and  Epsilon:  Lessons  for  Data  Security  Legislation  June  2,  201  I 

Protecting  the  Electric  Grid:  the  Grid  Reliability  and  Infrastructure  Defense  May  3 1 ,  20 1  I 
Act 

Cyber  Threats  to  Capital  Markets  and  Corporate  Account  June  I,  2012 

Combating  Cybercriminals  September  14,  201  I 

Field  Hearing:  “Hacked  Off:  Helping  Law  Enforcement  Protect  Private  June  29,  201  I 

Financial  Information 

Communist  Chinese  Cyber-Attacks,  Cyber-Espionage  and  Theft  of  April  15,  201  I 

American  Technology 

Resilient  Communications:  Current  Challenges  and  Future  Advancement  September  12,  2012 
Iranian  Cyber  Threat  to  U.S.  Homeland  April  26,  20 1 2 

America  is  Under  Cyber  Attack:  Why  Urgent  Action  is  Needed  April  24,  2012 

The  DHS  and  DOE  National  Labs:  Finding  Efficiencies  and  Optimizing  April  19,  2012 

Outputs  in  Homeland  Security  Research  and  Development 

Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity  December  6,  201  I 

Cloud  Computing:  What  are  the  Security  Implications?  October  6,  201  I 

Examining  the  Homeland  Security  Impact  of  the  Obama  Administration’s  June  24,  201  I 

Cybersecurity  Proposal 


Committee 

Subcommittee 

Title 

Date 

Homeland  Security 

Unlocking  the  SAFETY  Act’s  [Support  Anti-terrorism  by  Fostering  Effective 
Technologies  -  P.L.  107-296]  Potential  to  Promote  Technology  and 

Combat  Terrorism 

May  26,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

DHS  Cybersecurity  Mission:  Promoting  Innovation  and  Securing  Critical 
Infrastructure 

April  15,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

Examining  the  Cyber  Threat  to  Critical  Infrastructure  and  the  American 
Economy 

March  16,  201  1 

Homeland  Security 

Cybersecurity,  Infrastructure  Protection  and 
Security  Technologies 

Preventing  Chemical  Terrorism:  Building  a  Foundation  of  Security  at  Our 
Nation’s  Chemical  Facilities 

February  1  1,  201  1 

Judiciary 

Intellectual  Property,  Competition  and  the 
Internet 

Cloud  Computing:  An  Overview  of  the  Technology  and  the  Issues  facing 
American  Innovators 

July  25,  2012 

Judiciary 

Combating  Online  Piracy  (H.R.  3261,  Stop  the  Online  Piracy  Act) 

November  1 6,  20 1  1 

Judiciary 

Crime,  Terrorism  and  Homeland  Security 

Cybersecurity:  Protecting  America’s  New  Frontier 

November  1 5,  20 1  1 

Judiciary 

Intellectual  Property,  Competition  and  the 
Internet 

Cybersecurity:  Innovative  Solutions  to  Challenging  Problems 

May  25,  201  1 

Oversight  and 
Government  Reform 

Cybersecurity:  Assessing  the  Nation’s  Ability  to  Address  the  Growing 

Cyber  Threat 

July  7,  201  1 

Oversight  and 
Government  Reform 

Subcommittee  on  National  Security, 

Homeland  Defense  and  Foreign  Operations 

Cybersecurity:  Assessing  the  Immediate  Threat  to  the  United  States 

May  25,  201  1 

Permanent  Select 
Intelligence 

Investigation  of  the  Security  Threat  Posed  by  Chinese  Telecommunications 
Companies  Huawei  and  ZTE 

September  1 3,  20 1 2 

Permanent  Select 
Intelligence 

Cyber  Threats  and  Ongoing  Efforts  to  Protect  the  Nation 

October  4,  201  1 

Permanent  Select 
Intelligence 

World  Wide  Threats 

February  1 0,  20 1  1 

Science,  Space  and 
Technology 

Investigations  and  Oversight 

NASA  Cybersecurity:  An  Examination  of  the  Agency’s  Information  Security 

February  29,  2012 

Science,  Space  and 
Technology 

Science,  Space  and 
Technology 

Small  Business 

Technology  and  Innovation 

Research  and  Science  Education 

Healthcare  and  Technology 

The  Cloud  Computing  Outlook 

Protecting  Information  in  the  Digital  Age:  Federal  Cybersecurity  Research 
and  Development  Efforts 

Cyber  Security:  Protecting  Your  Small  Business 

September  2 1 ,  20 1  1 

May  25,  201  1 

November  30,  20 1  1 

Source:  Compiled  by  CRS. 
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Table  1 2.  House  Markups  (I  I  2th  Congress),  by  Date 


Title 

Date 

Committee 

Subcommittee 

Consideration  and  Markup  of  H.R.  3674 

February  1 ,  2012 

Homeland  Security 

Cybersecurity,  Infrastructure 

Protection  and  Security  Technologies 

Markup:  Draft  Bill:  Cyber  Intelligence  Sharing  and  Protection  Act  of  201  1 

December  1,  201  1 

Permanent  Select  Intelligence 

Markup  on  H.R.  2096,  Cybersecurity  Enhancement  Act  of  201  1 

July  21, 201  1 

Science,  Space  and  Technology 

Discussion  Draft  of  H.R.  2577,  a  bill  to  require  greater  protection  for  sensitive 
consumer  data  and  timely  notification  in  case  of  breach 

June  15,  201  1 

Energy  and  Commerce 

Commerce,  Manufacturing,  and 

Trade 

Source:  Compiled  by  CRS. 

Table  1 3.  Senate  Hearings  (1  1 2th  Congress),  by  Date 

Title 

Date 

Committee 

Subcommittee 

State  of  Federal  Privacy  and  Data  Security  Law:  Lagging  Behind  the  Times? 

July  31, 2012 

Homeland  Security  and  Governmental 
Affairs 

Oversight  of 

Government 

Management,  the  Federal 
Workforce  and  the 

District  of  Columbia 

Protecting  Electric  Grid  From  Cyber  Attacks 

July  17,  2012 

Energy  and  Natural  Resources  Committee 

To  receive  testimony  on  U.S.  Strategic  Command  and  U.S.  Cyber  Command  in 
review  of  the  Defense  Authorization  Request  for  Fiscal  Year  20 1 3  and  the 

Future  Years  Defense  Program. 

March  27,  2012 

Armed  Services 

To  receive  testimony  on  cybersecurity  research  and  development  in  review  of 
the  Defense  Authorization  Request  for  Fiscal  Year  201  3  and  the  Future  Years 
Defense  Program 

March  20,  2012 

Armed  Services 

Emerging  Threats  and 
Capabilities 

The  Freedom  of  Information  Act:  Safeguarding  Critical  Infrastructure 

Information  and  the  Public’s  Right  to  Know 

March  13,  2012 

Judiciary 

Securing  America’s  Future:  The  Cybersecurity  Act  of  20 1 2 

February  16,  2012 

Homeland  Security  and  Governmental 
Affairs 

Cybercrime:  Updating  the  Computer  Fraud  and  Abuse  Act  to  Protect 
Cyberspace  and  Combat  Emerging  Threats 

September  7,  20 1  1 

Judiciary 

Role  of  Small  Business  in  Strengthening  Cybersecurity  Efforts  in  the  United 

States 

July  25,  201  1 

Small  Business  and  Entrepreneu 

rship 

Privacy  and  Data  Security:  Protecting  Consumers  in  the  Modern  World 

June  29,  201  1 

Commerce,  Science  and  Transportation 

CRS-14 


Title 

Date 

Committee 

Subcommittee 

Cybersecurity:  Evaluating  the  Administration’s  Proposals 

June  21,  2011 

Judiciary 

Crime  and  Terrorism 

Cybersecurity  and  Data  Protection  in  the  Financial  Sector 

June  21,  2011 

Banking,  Housing  and  Urban  Affairs 

Protecting  Cyberspace:  Assessing  the  White  House  Proposal 

May  23,  2011 

Homeland  Security  and  Governmental 
Affairs 

Cybersecurity  of  the  Bulk-Power  System  and  Electric  Infrastructure 

May  5,  201  1 

Energy  and  Natural  Resources 

To  receive  testimony  on  the  health  and  status  of  the  defense  industrial  base 
and  its  science  and  technology-related  elements 

May  3,  2011 

Armed  Services 

Emerging  Threats  and 
Capabilities 

Cyber  Security:  Responding  to  the  Threat  of  Cyber  Crime  and  Terrorism 

April  12,  201  1 

Judiciary 

Crime  and  Terrorism 

Oversight  of  the  Federal  Bureau  of  Investigation 

March  30,  201  1 

Judiciary 

Cybersecurity  and  Critical  Electric  Infrastructure3 

March  15,  201  1 

Energy  and  Natural  Resources 

Information  Sharing  in  the  Era  of  WikiLeaks:  Balancing  Security  and 
Collaboration 

March  10,  201  1 

Homeland  Security  and  Governmental 
Affairs 

Homeland  Security  Department’s  Budget  Submission  for  Fiscal  Year  2012 

February  1 7,  20 1  1 

Homeland  Security  and  Governmental 
Affairs 

Source:  Compiled  by  CRS. 

a.  The  March  15,  201  I,  hearing  before  the  Committee  on  Energy  and  Natural  Resources  was  closed.  The  hearing  notice  was  removed  from  the  committee’s  website. 


Table  1 4.  Senate  Hearings  (I  1 2th  Congress),  by  Committee 


Committee 

Subcommittee 

Title 

Date 

Armed  Services 

Emerging  Threats  and 
Capabilities 

To  receive  testimony  on  cybersecurity  research  and  development  in 
review  of  the  Defense  Authorization  Request  for  Fiscal  Year  20 1 3  and  the 
Future  Years  Defense  Program 

March  20,  2012 

Armed  Services 

Emerging  Threats  and 
Capabilities 

To  receive  testimony  on  the  health  and  status  of  the  defense  industrial 
base  and  its  science  and  technology-related  elements 

May  3,  201  1 

Banking,  Housing  and  Urban  Affairs 

Cybersecurity  and  Data  Protection  in  the  Financial  Sector 

June  21, 201  1 

Commerce,  Science  and  Transportation 

Privacy  and  Data  Security:  Protecting  Consumers  in  the  Modern  World 

June  29,  2011 

Energy  and  Natural  Resources 

Protecting  the  Electric  Grid  from  Cyber  Attacks 

July  17,  2012 

Energy  and  Natural  Resources 

Cybersecurity  of  the  Bulk-Power  System  and  Electric  Infrastructure 

May  5,  2011 

CRS-15 


Committee 

Subcommittee 

Title 

Date 

Energy  and  Natural  Resources  (closed) 

Cybersecurity  and  Critical  Electric  Infrastructure3 

March  15,  201  1 

Homeland 

Security  &  Governmental  Affairs 

Oversight  of  Government 
Management,  the  Federal 
Workforce  and  the 

District  of  Columbia 

State  of  Federal  Privacy  and  Data  Security  Law:  Lagging  Behind  the  Times? 

July  31,  2012 

Homeland 

Security  &  Governmental  Affairs 

Securing  America’s  Future:  The  Cybersecurity  Act  of  20 1 2 

February  16,  2012 

Homeland 

Security  and  Governmental  Affairs 

Protecting  Cyberspace:  Assessing  the  White  House  Proposal 

May  23,  201  1 

Homeland 

Security  and  Governmental  Affairs 

Information  Sharing  in  the  Era  of  WikiLeaks:  Balancing  Security  and 
Collaboration 

March  10,  201  1 

Homeland 

Security  and  Governmental  Affairs 

Homeland  Security  Department’s  Budget  Submission  for  Fiscal  Year  2012 

February  17,  201  1 

Judiciary 

The  Freedom  of  Information  Act:  Safeguarding  Critical  Infrastructure 
Information  and  the  Public’s  Right  to  Know 

March  13,  2012 

Judiciary 

Cybercrime:  Updating  the  Computer  Fraud  and  Abuse  Act  to  Protect 
Cyberspace  and  Combat  Emerging  Threats 

September  7,  20 1  1 

Judiciary 

Crime  and  Terrorism 

Cybersecurity:  Evaluating  the  Administration’s  Proposals 

June  21, 201  1 

Judiciary 

Crime  and  Terrorism 

Cyber  Security:  Responding  to  the  Threat  of  Cyber  Crime  and  Terrorism 

April  12,  201  1 

Judiciary 

Oversight  of  the  Federal  Bureau  of  Investigation 

March  30,  201  1 

Small  Business  and  Entrepreneurship 

Role  of  Small  Business  in  Strengthening  Cybersecurity  Efforts  in  the  United 
States 

July  25,  201  1 

Source:  Compiled  by  CRS. 

a.  The  March  15,  201  I,  hearing  before  the  Committee  on  Energy  and  Natural  Resources  was  closed.  The  hearing  notice  was  removed  from  the  committee’s  website. 
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Table  1 5.  Congressional  Committee  Investigative  Reports 


Title 

Committee 

Date 

Notes 

Investigative  Report  on  the  U.S. 
National  Security  Issues  Posed  by 
Chinese  Telecommunications 
Companies  Huawei  and  ZTE 

House  Permanent 
Select  Committee  on 
Intelligence 

October 

8,  2012 

60  The  committee  initiated  this  investigation  in  November  2011  to  inquire  into  the 

counterintelligence  and  security  threat  posed  by  Chinese  telecommunications  companies 
doing  business  in  the  United  States. 

Federal  Support  for  and  Involvement 
in  State  and  Local  Fusion  Centers 

U.  S.  Senate 

Permanent 

Subcommittee  on 
Investigations 

October 

3,  2012 

141  A  two-year  bipartisan  investigation  found  that  U.S.  Department  of  Homeland  Security 
efforts  to  engage  state  and  local  intelligence  “fusion  centers”  has  not  yielded  significant 
useful  information  to  support  federal  counterterrorism  intelligence  efforts.  In  Section  VI, 
“Fusion  Centers  Have  Been  Unable  to  Meaningfully  Contribute  to  Federal 

Counterterrorism  Efforts,”  Part  G,  “Fusion  Centers  May  Have  Hindered,  Not  Aided, 

Federal  Counterterrorism  Efforts,”  the  report  discusses  the  Russian  “Cyberattack”  in 

Illinois. 

Source:  Compiled  by  CRS. 
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Executive  Orders  and  Presidential  Directives 

Executive  orders  are  official  documents  through  which  the  President  of  the  United  States 
manages  the  operations  of  the  federal  government.  Presidential  directives  pertain  to  all  aspects  of 
U.S.  national  security  policy  and  are  signed  or  authorized  by  the  President. 

The  following  reports  provide  additional  information  on  executive  orders  and  presidential 
directives: 

•  CRS  Report  RS20846,  Executive  Orders:  Issuance,  Modification,  and 
Revocation,  by  Todd  Garvey  and  Vivian  S.  Chu,  and 

•  CRS  Report  98-6 1 1 ,  Presidential  Directives:  Background  and  Overview,  by  L. 

Elaine  Halchin. 

Table  16  provides  a  list  of  executive  orders  and  presidential  directives  pertaining  to  information 
and  computer  security. 
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Table  1 6.  Executive 


(by  date 

Title  Date 

E.O.  13636,  Improving  Critical  Infrastructure  Cyberesecurity  February  12,  2013 

http://www.gpo.gov/fdsys/pkg/FR-20 1 3-02- 1 9/pdf/20 1 3- 
039l5.pdf 


Presidential  Policy  Directive  (PPD)  21  -  Critical  Infrastructure  February  12,  2013 
Security  and  Resilience 

http://www.whitehouse.gov/the-press-office/20 1 3/02/ 1 2/ 

presidential-policy-directive-critical-infrastructure-security-and- 

resil 


E.O.  13587,  Structural  Reforms  to  Improve  the  Security  of  October  7,  201  I 

Classified  Networks  and  the  Responsible 

http://www.gpo.gov/fdsys/pkg/FR-20 1  I  - 1 0- 1  3/pdf/20 1  I  - 
26729.pdf 


CRS-19 


s  and  Presidential  Directives 

issuance) 


Source  Notes 

White  House  The  order  directs  agencies  to  take  steps  to  expand 

cyberthreat  information  sharing  with  companies.  It  also  tells 
them  to  come  up  with  incentives  for  owners  of  the  most 
vital  and  vulnerable  digital  infrastructure — like  those  tied  to 
the  electricity  grid  or  banking  system — to  voluntarily  comply 
with  a  set  of  security  standards.  And  it  orders  them  to 
review  their  regulatory  authority  on  cybersecurity  and 
propose  new  regulations  in  some  cases. 

White  House  This  directive  establishes  national  policy  on  critical 

infrastructure  security  and  resilience.  This  endeavor  is  a 
shared  responsibility  among  the  federal,  state,  local,  tribal, 
and  territorial  (SLTT)  entities,  and  public  and  private  owners 
and  operators  of  critical  infrastructure  (hereinafter  referred 
to  as  “critical  infrastructure  owners  and  operators”).  This 
directive  also  refines  and  clarifies  the  critical  infrastructure- 
related  functions,  roles,  and  responsibilities  across  the 
federal  government,  as  well  as  enhances  overall  coordination 
and  collaboration.  The  federal  government  also  has  a 
responsibility  to  strengthen  the  security  and  resilience  of  its 
own  critical  infrastructure,  for  the  continuity  of  national 
essential  functions,  and  to  organize  itself  to  partner 
effectively  with  and  add  value  to  the  security  and  resilience 
efforts  of  critical  infrastructure  owners  and  operators. 

White  House  This  order  directs  structural  reforms  to  ensure  responsible 

sharing  and  safeguarding  of  classified  information  on 
computer  networks  that  shall  be  consistent  with  appropriate 
protections  for  privacy  and  civil  liberties.  Agencies  bear  the 
primary  responsibility  for  meeting  these  twin  goals.  These 
policies  and  minimum  standards  will  address  all  agencies  that 
operate  or  access  classified  computer  networks,  all  users  of 
classified  computer  networks  (including  contractors  and 
others  who  operate  or  access  classified  computer  networks 
controlled  by  the  federal  government),  and  all  classified 
information  on  those  networks. 


Title 

Date 

Source 

Notes 

E.O.  1 3407,  Public  Alert  and  Warning  System 

http://www.gpo.gov/fdsys/pkg/WCPD-2006-07-03/pdf/WCPD- 

2006-07-03-Pgl226.pdf 

June  26,  2006 

White  House 

Assigns  the  Secretary  of  Homeland  Security  the 
responsibility  to  establish  or  adopt,  as  appropriate,  common 
alerting  and  warning  protocols,  standards,  terminology,  and 
operating  procedures  for  the  public  alert  and  warning  system 
to  enable  interoperability  and  the  secure  delivery  of 
coordinated  messages  to  the  American  people  through  as 
many  communication  pathways  as  practicable,  taking  account 
of  Federal  Communications  Commission  rules  as  provided 
by  law. 

HSPD-7,  Homeland  Security  Presidential  Directive  No.  7: 

Critical  Infrastructure  Identification,  Prioritization,  and 

Protection 

http://www.dhs.gov/xabout/laws/gc_l  2 14597989952.shtm 

December  1 7,  2003 

White  House 

Assigns  the  Secretary  of  Homeland  Security  the 
responsibility  of  coordinating  the  nation’s  overall  efforts  in 
critical  infrastructure  protection  across  all  sectors.  HSPD-7 
also  designates  the  Department  of  Homeland  Security  (DHS) 
as  lead  agency  for  the  nation’s  information  and 
telecommunications  sectors. 

E.O.  1 3286,  Amendment  of  Executive  Orders,  and  Other 
Actions,  in  Connection  With  the  Transfer  of  Certain  Functions 
to  the  Secretary  of  Homeland  Security 

http://edocket.access.gpo.gov/2003/pdf/03-5343.pdf 

February  28,  2003 

White  House 

Designates  the  Secretary  of  Homeland  Security  the  Executive 
Agent  of  the  National  Communication  System  Committee  of 
Principals,  which  are  the  agencies,  designated  by  the 

President,  that  own  or  lease  telecommunication  assets 
identified  as  part  of  the  National  Communication  System,  or 
which  bear  policy,  regulatory,  or  enforcement  responsibilities 
of  importance  to  national  security  and  emergency 
preparedness  telecommunications. 

Presidential  Decision  Directive/NSC-63 

http://www.fas.org/irp/offdocs/pdd/pdd-63.htm 

May  22,  1998 

White  House 

Sets  as  a  national  goal  the  ability  to  protect  the  nation’s 
critical  infrastructure  from  intentional  attacks  (both  physical 
and  cyber)  by  the  year  2003.  According  to  the  PDD,  any 
interruptions  in  the  ability  of  these  infrastructures  to  provide 
their  goods  and  services  must  be  “brief,  infrequent, 
manageable,  geographically  isolated,  and  minimally 
detrimental  to  the  welfare  of  the  United  States." 
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Title 

Date 

Source 

Notes 

NSD-42,  National  Security  Directive  42  -  National  Policy  for 
the  Security  of  National  Security  Telecommunications  and 
Information  Systems 

http://bushlibrary.tamu.edu/research/pdfs/nsd/nsd42.pdf 

July  5,  1990 

White  House 

Establishes  the  National  Security  Telecommunications  and 
Information  Systems  Security  Committee,  now  called  the 
Committee  on  National  Security  Systems  (CNSS).  CNSS  is 
an  interagency  committee,  chaired  by  the  Department  of 
Defense.  Among  other  assignments,  NSD-42  directs  the 

CNSS  to  provide  system  security  guidance  for  national 
security  systems  to  executive  departments  and  agencies;  and 
submit  annually  to  the  Executive  Agent  an  evaluation  of  the 
security  status  of  national  security  systems.  NSD-42  also 
directs  the  Committee  to  interact,  as  necessary,  with  the 
National  Communications  System  Committee  of  Principals. 

E.O.  12472,  Assignment  of  National  Security  and  Emergency 
Preparedness  Telecommunications  Functions  (amended  by  E.O. 

1 3286  of  February  28,  2003,  and  changes  made  by  E.O.  1  3407, 
June  26,  2006) 

http://www.ncs.gov/library/policy_docs/eo_l  2472.html 

April  3,  1984 

National 

Communications 
System  (NCS) 

Established  a  national  communication  system  as  those 
telecommunication  assets  owned  or  leased  by  the  federal 
government  that  can  meet  the  national  security  and 
emergency  preparedness  needs  of  the  federal  government, 
together  with  an  administrative  structure  that  could  ensure 
that  a  national  telecommunications  infrastructure  is 
developed  that  is  responsive  to  national  security  and 
emergency  preparedness  needs. 

Note:  Descriptions  compiled  by  CRS  from  government  websites. 
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Data  and  Statistics 

This  section  identifies  data  and  statistics  from  government,  industry,  and  IT  security  firms 
regarding  the  current  state  of  cybersecurity  threats  in  the  United  States  and  internationally.  These 
include  incident  estimates,  costs,  and  annual  reports  on  data  security  breaches,  identity  theft, 
cyber  crime,  malware,  and  network  security. 
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Table  1 7.  Data  and  Statistics:  Cyber  Incidents,  Data  Breaches,  Cyber  Crime 


Title 

Date 

Source 

Pages 

Notes 

20 1 3  Internet  Security  Threat  Report,  Vol.  1 8 

https://www.symantec.com/security_response/publications/threatrep 
ort.jsp?om_ext_cid=biz_socmed_twitter_facebook_marketwire_link 
edin_20 1 3Apr_worldwide_ISTR  1 8 

April  2013 

Symantec 

58 

Threats  to  online  security  have  grown  and  evolved 
considerably  in  2012.  From  the  threats  of 
cyberespionage  and  industrial  espionage  to  the 
widespread,  chronic  problems  of  malware  and 
phishing,  malware  authors  have  constantly 
improved  innovation.  There  has  also  been  an 
expansion  of  traditional  threats  into  new  forums.  In 
particular,  social  media  and  mobile  devices  have 
come  under  increasing  attack  in  2012,  even  as 
spam  and  phishing  attacks  via  traditional  routes 
have  fallen.  Online  criminals  are  following  users 
onto  these  new  platforms. 

Overview  of  Current  Cyber  Attacks  (logged  by  97  Sensors) 

http://www.sicherheitstacho.eu/ 

March  6,  2013 

Deutsche  Telekom 

N/A 

Provides  a  real-time  visualization  and  map  of 
cyberattacks  detected  by  a  network  of  97  sensors 
placed  around  the  world. 

Real-Time  Web  Monitor 

http://www.akamai.com/html/technology/dataviz  1  .html 

March  5,  2013 

Akamai 

N/A 

Akamai  monitors  global  1  nternet  conditions  around 
the  clock.  The  map  identifies  the  global  regions  with 
the  greatest  attack  traffic. 

Linking  Cybersecurity  Policy  and  Performance 

http://blogs.technet.eom/b/trustworthycomputing/archive/20 1 3/02/ 

06/linking-cybersecurity-policy-and-performance-microsoft-releases- 

special-edition-security-intelligence-report.aspx 

February  6,  20 1 3 

Microsoft 

T  rustworthy 
Computing 

27 

Introduces  a  new  methodology  for  examining  how 
socio-economic  factors  in  a  country  or  region 
impact  cybersecurity  performance,  examining 
measures  such  as  use  of  modern  technology, 
mature  processes,  user  education,  law 
enforcement  and  public  policies  related  to 
cyberspace.  This  methodology  can  build  a  model 
that  will  help  predict  the  expected  cybersecurity 
performance  of  a  given  country  or  region. 

SCADA  and  Process  Control  Security  Survey 

https://www.sans.org/reading_room/analysts_program/ 
sans_survey_scada_20 1 3.pdf 

February  1 ,  2013 

SANS  Institute 

19 

SANS  Institute  surveyed  professionals  who  work 
with  SCADA  and  process  control  systems.  Seventy 
percent  of  the  nearly  700  respondents  said  they 
consider  their  SCADA  systems  to  be  at  high  or 
severe  risk.  One-third  of  them  suspect  that  they 
have  been  already  been  infiltrated 
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Title 

Date 

Source 

Pages 

Notes 

Blurring  the  Lines:  2013  TMT  Global  Security  Study 

http://www.deloitte.com/assets/Dcom-UnitedKingdom/ 
Local%20Assets/Documents/Services/Audit/uk-ers-blurring-line- 
20 1 3-tmt-studyv2.pdf.pdf 

January  8,  20 1 3 

Deloitte 

24 

Report  states  that  88%  of  companies  do  not 
believe  that  they  are  vulnerable  to  an  external 
cyber  threat,  while  more  than  half  of  those 
surveyed  have  experienced  a  security  incident  in 
the  last  year.  Companies  rated  mistakes  by  their 
employees  as  a  top  threat,  with  70%  highlighting  a 
lack  of  security  awareness  as  a  vulnerability. 

Despite  this,  less  than  half  of  companies  (48%) 
offer  even  general  security-related  training,  with 

49%  saying  that  a  lack  of  budget  was  making  it  hard 
to  improve  security. 

Improving  the  Evidence  Base  for  Information  Security  and  Privacy 
Policies:  Understanding  the  Opportunities  and  Challenges  related  to 
Measuring  Information  Security,  Privacy  and  the  Protection  of 

Children  Online 

http://www.oecd-ilibrary.org/science-and-technology/improving-the- 
evidence-base-for-information-security-and-privacy- 
policies_5k4dq3rkb  1 9n-en 

December  20,  20 1 2 

Organisation  for 
Economic 

Cooperation  and 
Development 

94 

This  report  provides  an  overview  of  existing  data 
and  statistics  in  fields  of  information  security, 
privacy,  and  the  protection  of  children  online.  It 
highlights  the  potential  for  the  development  of 
better  indicators  in  these  respective  fields  showing 
in  particular  that  there  is  an  underexploited  wealth 
of  empirical  data  that,  if  mined  and  made 
comparable,  will  enrich  the  current  evidence  base 
for  policy  making. 

Emerging  Cyber  Threats  Report  20 1 3 

http://www.gtsecuritysummit.com/pdf/20 1 3ThreatsReport.pdf 

November  14,  2012 

Georgia  Institute  of 
Technology 

9 

The  year  ahead  will  feature  new  and  increasingly 
sophisticated  means  to  capture  and  exploit  user 
data,  escalating  battles  over  the  control  of  online 
information  and  continuous  threats  to  the  U.S. 
supply  chain  from  global  sources.  (From  the  annual 
Georgia  Tech  Cyber  Security  Summit  2012). 

State  Governments  at  Risk:  a  Call  for  Collaboration  and  Compliance 

http://www.nascio.org/publications/documents/Deloitte- 
NASCIOCybersecurityStudy20 1 2.pdf 

October  23,2012 

National  Association 
of  State  Chief 
Information  Officers 

and  Deloitte 

40 

Assesses  the  state  of  cybersecurity  across  the 
nation  found  that  only  24%  of  chief  information 
security  officers  (CISOs)  are  very  confident  in  their 
states’  ability  to  guard  data  against  external  threats. 
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Title 


Date 


Cybercrime  Costs  Rise  Nearly  40  Percent,  Attack  Frequency  October  8,  20 1 2 

Doubles 

http://www.hp.com/hpinfo/newsroom/press/20 1 2/1 21 008a.html 


2012  NCSA/Symantec  National  Small  Business  Study  October  2012 

http://www.staysafeonline.org/download/datasets/4389/ 

20 1 2_ncsa_symantec_small_business_study.pdf. 


McAfee  Explains  The  Dubious  Math  Behind  Its  ‘Unscientific’  $1  August  3,  2012 

Trillion  Data  Loss  Claim 

http://www.forbes.com/sites/andygreenberg/20 1 2/08/03/mcafee- 
explains-the-dubious-math-behind-its-unscientific- 1  -trillion-data-loss- 
claim/ 

Does  Cybercrime  Really  Cost  $  I  T rillion?  August  1 ,  2012 

http://www.propublica.org/article/does-cybercrime-really-cost- 1  - 
trillion 
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Source 


Pages 

N/A 


Notes 


HP  and  the  Ponemon 
Institute 


The  20 1 2  Cost  of  Cyber  Crime  Study  found  that 
the  average  annualized  cost  of  cybercrime  incurred 
by  a  benchmark  sample  of  U.S.  organizations  was 
$8.9  million.  This  represents  a  6%  increase  over 
the  average  cost  reported  in  201  I,  and  a  38% 
increase  over  2010.  The  2012  study  also  revealed  a 
42%  increase  in  the  number  of  cyberattacks,  with 
organizations  experiencing  an  average  of  102 
successful  attacks  per  week,  compared  with  72 
attacks  per  week  in  20 1  I  and  50  attacks  per  week 
in  2010. 


National  Cyber  18  The  NCSA  surveyed  more  than  1,000  small  and 

Security  Alliance  midsize  businesses.  The  survey  found  that  83%  of 

respondents  said  they  don’t  have  a  written  plan  for 
protecting  their  companies  against  cyberattacks, 
while  76%  think  they  are  safe  from  hackers, 
viruses,  malware,  and  cybersecurity  breaches. 

Forbes.com  N/A  No,  the  statistic  was  not  simply  made  up.  Yes,  it’s 

just  a  “ballpark  figure”  and  an  “unscientific”  one, 
the  company  admits.  But  despite  Pro  Publica’s 
criticisms  and  its  own  rather  fuzzy  math,  the 
company  stands  by  its  trillion-dollar  conclusion  as  a 
(very)  rough  estimate. 

ProPublica  N/A  In  a  news  release  from  computer  security  firm 

McAfee  announcing  its  2009  report,  “Unsecured 
Economies:  Protecting  Vital  Information,”  the 
company  estimated  a  trillion  dollar  global  cost  for 
cybercrime.  That  number  does  not  appear  in  the 
report  itself.  McAfee’s  trillion-dollar  estimate  is 
questioned  by  the  three  independent  researchers 
from  Purdue  University  whom  McAfee  credits  with 
analyzing  the  raw  data  from  which  the  estimate 
was  derived.  An  examination  of  their  origins  by 
ProPublica  has  found  new  grounds  to  question  the 
data  and  methods  used  to  generate  these  numbers, 
which  McAfee  and  Symantec  say  they  stand  behind. 


Title 

Date 

Source 

Pages 

Notes 

ICS-CERT  Incident  Response  Summary  Report 

http://www.us-cert.gov/control_systems/pdf/ICS- 
CERT_lncident_Response_Summary_Report_09_l  1  .pdf 

June  28,  2012 

U.S.  Industrial 

Control  System 

Cyber  Emergency 
Response  Team  (ICS- 
CERT) 

17 

The  number  of  reported  cyberattacks  on  U.S. 
critical  infrastructure  increased  sharply — from  9 
incidents  in  2009  to  198  in  201  1;  water  sector- 
specific  incidents,  when  added  to  the  incidents  that 
affected  several  sectors,  accounted  for  more  than 
half  of  the  incidents;  in  more  than  half  of  the  most 
serious  cases,  implementing  best  practices,  such  as 
login  limitation  or  properly  configured  firewall, 
would  have  deterred  the  attack,  reduced  the  time 
it  would  have  taken  to  detect  an  attack,  and 
minimized  its  impact. 

Measuring  the  Cost  of  Cybercrime 

http://weis20 1 2.econinfosec.org/papers/Anderson_WEIS20 1 2.pdf 

June  25,  2012 

1  Ith  Annual 

Workshop  on  the 
Economics  of 
Information  Security 

N/A 

“For  each  of  the  main  categories  of  cybercrime  we 
set  out  what  is  and  is  not  known  of  the  direct 
costs,  indirect  costs  and  defence  costs  -  both  to 
the  UK  and  to  the  world  as  a  whole.” 

Worldwide  Threat  Assessment:  Infection  Rates  and  Threat  Trends 
by  Location 

ongoing 

Microsoft  Security 
Intelligence  Report 

N/A 

Data  on  infection  rates,  malicious  websites,  and 
threat  trends  by  regional  location,  worldwide. 

http://www.microsoft.com/security/sir/threat/ 

default.aspx#!introduction 

(SIR) 

2012  Data  Breach  Investigations  Report 

http://www.verizonenterprise.com/resources/reports/rp_data- 
breach-investigations-report-20 1 2-ebk_en_xg.pdf? _ ct_return=  1 

March  22,  2012 

Verizon 

80 

This  year  our  DBIR  includes  more  incidents, 
derived  from  more  contributors,  and  represents  a 
broader  and  more  diverse  geographical  scope.  The 
number  of  compromised  records  across  these 
incidents  skyrocketed  back  up  to  174  million  after 
reaching  an  all-time  low  (or  high,  depending  on 
your  point  of  view)  in  last  year’s  report  of  four 
million.  In  fact,  201  1  boasts  the  second-highest  data 
loss  total  since  we  started  keeping  track  in  2004. 

McAfee  Research  &  Reports  (multiple) 

http://www.mcafee.com/us/about/newsroom/research-reports.aspx 

2009-2012 

McAfee 

N/A 

Links  to  reports  on  cybersecurity  threats,  malware, 
cybercrime,  and  spam. 

Significant  Cyber  Incidents  Since  2006 

http://csis.org/publication/cyber-events-2006 

January  19,  2012 

Center  for  Strategic 
and  International 

Studies  (CSIS) 

9 

A  list  of  significant  cyber  events  since  2006.  From 
the  report,  “Significance  is  in  the  eye  of  the 
beholder,  but  we  focus  on  successful  attacks  on 
government  agencies,  defense  and  high  tech 
companies,  or  economic  crimes  with  losses  of 
more  than  a  million  dollars.” 
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Title 

Date 

Source 

Pages 

Notes 

201  1  ITRC  Breach  Report  Key  Findings 

http://www.idtheftcenter.org/artman2/publish/headlines/ 

Breaches_20l  l.shtml 

December  1 0,  20 1  1 

Identity  Theft 

Resource  Center 
(ITRC) 

N/A 

According  to  the  report,  hacking  attacks  were 
responsible  for  more  than  one-quarter  (25.8%)  of 
the  data  breaches  recorded  in  the  Identity  Theft 
Resource  Center’s  201 1  breach  Report,  hitting  a 
five-year  all  time  high.  This  was  followed  by  “Data 
on  the  Move”  (when  an  electronic  storage  device, 
laptop,  or  paper  folders  leave  the  office  where  they 
are  normally  stored)  and  “Insider  Theft,”  at  1 8. 1% 
and  13.4%  respectively. 

The  Risk  of  Social  Engineering  on  Information  Security:  A  Survey  of 

IT  Professionals 

http://www.checkpoint.com/press/downloads/social-engineering- 

survey.pdf 

September  20 1  1 

Check  Point 

7 

[The]  report  reveals  48%  of  large  companies  and 

32%  of  companies  of  all  sizes  surveyed  have  been 
victims  of  social  engineering,  experiencing  25  or 
more  attacks  in  the  past  two  years,  costing 
businesses  anywhere  from  $25,000  to  over 
$100,000  per  security  incident.  [P]hishing  and 
social  networking  tools  are  the  most  common 
sources  of  socially  engineered  threats. 

Second  Annual  Cost  of  Cyber  Crime  Study 

http://www.arcsight.com/collateral/whitepapers/ 

20 1  l_Cost_of_Cyber_Crime_Study_August.pdf 

August  20 1  1 

Ponemon  Institute 

30 

[T]he  median  annualized  cost  for  50  benchmarked 
organizations  is  $5.9  million  per  year,  with  a  range 
from  $1.5  million  to  $36.5  million  each  year  per 
company.  This  represents  an  increase  in  median 
cost  of  56%  from  [Ponemon’s]  first  cyber  cost 
study  published  last  year. 

Revealed:  Operation  Shady  RAT:  an  Investigation  of  Targeted 
Intrusions  into  70+  Global  Companies,  Governments,  and  Non- 
Profit  Organizations  During  the  Last  5  Years 

http://www.mcafee.com/us/resources/white-papers/wp-operation- 

shady-rat.pdf 

August  2,  20 1  1 

McAfee  Research 

Labs 

14 

A  comprehensive  analysis  of  victim  profiles  from  a 
five-year  targeted  operation  which  penetrated  72 
government  and  other  organizations,  most  of  them 
in  the  United  States,  and  copied  everything  from 
military  secrets  to  industrial  designs.  See  page  4  for 
types  of  compromised  parties,  page  5  for 
geographic  distribution  of  victim’s  country  of 
origin,  pages  7-9  for  types  of  victims,  and  pages  10- 
1 3  for  the  number  of  intrusions  for  2007-20 1 0. 

2010  Annual  Study:  U.S.  Cost  of  a  Data  Breach 

http://www.symantec.com/content/en/us/about/media/pdfs/ 
symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=: 
biz_socmed_twitter_facebook_marketwire_linkedin_20 1  1  Mar_worl 
dwide_costofdatabreach 

March  201  1 

Ponemon 

Institute/Symantec 

39 

The  average  organizational  cost  of  a  data  breach 
increased  to  $7.2  million  and  cost  companies  an 
average  of  $214  per  compromised  record. 
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Title 

Date 

Source 

Pages 

Notes 

FY20I0  Report  to  Congress  on  the  Implementation  of  the  Federal 
Information  Security  Management  Act  of  2002 

http://www.whitehouse.gov/sites/default/files/omb/assets/egov  docs/ 
FYIO_FISMA.pdf 

March  201  1 

White  House/  Office 
of  Management  and 
Budget 

48 

The  number  of  attacks  against  federal  networks 
increased  nearly  40%  last  year,  while  the  number  of 
incidents  targeting  U.S.  computers  overall  was 
down  roughly  1%  for  the  same  period.  (See  pp.  12- 
13). 

A  Good  Decade  for  Cybercrime:  McAfee’s  Look  Back  at  Ten  Years 
of  Cybercrime 

December  29,  20 1 0 

McAfee 

1  1 

A  review  of  the  most  publicized,  pervasive,  and 
costly  cybercrime  exploits  from  2000-2010. 

http://www.mcafee.com/us/resources/reports/rp-good-decade-for- 

cybercrime.pdf 

Note:  Statistics  are  from  the  source  publication  and  have  not  been  independently  verified  by  CRS. 
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Cybersecurity  Glossaries 

Table  18  includes  links  to  glossaries  of  useful  cybersecurity  terms,  including  those  related  to 
cloud  computing  and  cyberwarfare. 


Congressional  Research  Service 


29 


Table  18.  Glossaries  of  Cybersecurity  Terms 


Title 

Source 

Date 

Pages 

Notes 

Cloud  Computing  Reference  Architecture 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 

CloudComputing/ReferenceArchitectureTaxonomy/ 

NIST_SP_500-292_-_0906ll.pdf 

National  Institute  of 
Standards  and 
Technology  (NIST) 

September  20 1  1 

35 

Provides  guidance  to  specific  communities  of  practitioners 
and  researchers. 

Glossary  of  Key  Information  Security  Terms 

http://csrc.nist.gov/publications/nistir/ir7298-rev  1  /nistir- 
7298-revision  1  .pdf 

NIST 

February  20 1  1 

21  1 

The  glossary  provides  a  central  resource  of  terms  and 
definitions  most  commonly  used  in  NIST  information 
security  publications  and  in  Committee  for  National  Security 
Systems  (CNSS)  information  assurance  publications. 

CIS  Consensus  Information  Security  Metrics 

http://benchmarks.cisecurity.org/en-us/?route= 
down  loads. show.single. metrics.  1  1 0 

Center  for  Internet 
Security 

November  20 1 0 

175 

Provides  definitions  for  security  professionals  to  measure 
some  of  the  most  important  aspects  of  the  information 
security  status.  The  goal  is  to  give  an  organization  the  ability 
to  repeatedly  evaluate  security  in  a  standardized  way, 
allowing  it  to  identify  trends,  understand  the  impact  of 
activities  and  make  responses  to  improve  the  security 
status.  (Free  registration  required.) 

Joint  Terminology  for  Cyberspace  Operations 

http.V/www.projectcyw-d.org/resources/items/show/5 1 

Chairman  of  the 

Joint  Chiefs  of  Staff 

November  1, 

2010 

16 

This  lexicon  is  the  starting  point  for  normalizing  terms  in  all 
cyber-related  documents,  instructions,  CONOPS,  and 
publications  as  they  come  up  for  review. 

Department  of  Defense  Dictionary  of  Military  and 
Associated  Terms 

http://www.dtic.mil/doctrine/new_pubs/jp  l_02.pdf 

Chairman  of  the 

Joint  Chiefs  of  Staff 

November  8, 

2010  (as 
amended 
through  January 

15,  2012) 

547 

Provides  joint  policy  and  guidance  for  Information 

Assurance  (IA)  and  Computer  Network  Operations  (CNO) 
activities. 

DHS  Risk  Lexicon 

http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon- 

20l0.pdf 

Department  of 
Homeland  Security 
(DHS)  Risk  Steering 
Committee 

September  20 1 0 

72 

The  lexicon  promulgates  a  common  language,  facilitates  the 
clear  exchange  of  structured  and  unstructured  data,  and 
provides  consistency  and  clear  understanding  with  regard  to 
the  usage  of  terms  by  the  risk  community  across  the  DHS. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Reports  by  Topic 

This  section  gives  references  to  analytical  reports  on  cybersecurity  from  CRS,  other 
governmental  agencies,  and  trade  organizations.  The  reports  are  grouped  under  the  following 
cybersecurity  topics:  policy  framework  overview,  critical  infrastructure,  and  cybercrime  and 
national  security. 

For  each  topic,  CRS  reports  are  listed  first  and  then  followed  by  tables  with  reports  from  other 
organizations.  The  overview  reports  provide  an  analysis  of  a  broad  range  of  cybersecurity  issues 
(Table  19  to  Table  24).  The  critical  infrastructure  reports  (Table  25)  analyze  cybersecurity  issues 
related  to  telecom  infrastructure,  the  electricity  grid,  and  industrial  control  systems.  The 
cybercrime  and  national  security  reports  (Table  26)  analyze  a  wide  range  of  cybersecurity  issues, 
including  identify  theft  and  government  policies  for  dealing  with  cyberwar  scenarios.  In  addition, 
tables  with  selected  reports  on  international  efforts  to  address  cybersecurity  problems,  training  for 
cybersecurity  professionals,  and  research  and  development  efforts  in  other  areas  are  also  provided 
(Table  27  to  Table  29). 

CRS  Reports  Overview:  Cybersecurity  Policy  Framework 

•  CRS  Report  R421 14,  Federal  Laws  Relating  to  Cybersecurity:  Overview  and 
Discussion  of  Proposed  Revisions,  by  Eric  A.  Fischer 

•  CRS  Report  R41941,  The  Obama  Administration ’s  Cybersecurity  Proposal: 

Criminal  Provisions,  by  Gina  Stevens 

•  CRS  Report  R40150,  A  Federal  Chief  Technolog}’  Officer  in  the  Obama 
Administration:  Options  and  Issues  for  Consideration,  by  John  F.  Sargent  Jr. 

•  CRS  Report  R42409,  Cybersecurity:  Selected  Legal  Issues,  by  Edward  C.  Liu  et 
al. 

•  CRS  Report  R43015,  Cloud  Computing:  Constitutional  and  Statutory  Privacy 
Protections,  by  Richard  M.  Thompson  11. 


Congressional  Research  Service 


31 


Table  19.  Selected  Reports:  Cybersecurity  Overview 


Title 

Source 

Date 

Pages 

Notes 

Measuring  What  Matters:  Reducing  Risk  by  Rethinking  How  We  Evaluate 
Cybersecurity 

http://www.safegov.org/media/46 1 55/measuring  what  matters  final.pdf 

Safegov.org,  in 
coordination  with 
the  National 

Academy  of  Public 
Administration 

March 

2013 

39 

Rather  than  periodically  auditing  whether  an 
agency's  systems  meet  the  standards 
enumerated  in  FISMA  at  a  static  moment  in 
time,  agencies  and  their  inspectors  general 
should  keep  running  scorecards  of  "cyber  risk 
indicators"  based  on  continual  IG  assessments 
of  a  federal  organization's  cyber  vulnerabilities., 

Developing  a  Framework  To  Improve  Critical  Infrastructure  Cybersecurity 
( Federal  Register  Notice;  Request  for  Information) 

http://www.gpo.gov/fdsys/pkg/FR-20 1 3-02-26/pdf/20 1 3-044 1  3.pdf 

National  Institute  of 
Standards  and 
Technology  (NIST) 

February 

12,  2013 

5 

NIST  announced  the  first  step  in  the 
development  of  a  Cybersecurity  Framework, 
which  will  be  a  set  of  voluntary  standards  and 
best  practices  to  guide  industry  in  reducing 
cyber  risks  to  the  networks  and  computers 
that  are  vital  to  the  nation’s  economy,  security, 
and  daily  life. 

The  National  Cyber  Security  Framework  Manual 

http://www.ccdcoe.org/publications/books/ 

NationalCyberSecurityFrameworkManual.pdf 

NATO  Cooperative 
Cyber  Defense 
Center  of 

Excellence 

December 

1  1,  2012 

253 

Provides  detailed  background  information  and 
in-depth  theoretical  frameworks  to  help  the 
reader  understand  the  various  facets  of 

National  Cyber  Security,  according  to  different 
levels  of  public  policy  formulation.  The  four 
levels  of  government — political,  strategic, 
operational  and  tactical/technical — each  have 
their  own  perspectives  on  National  Cyber 
Security,  and  each  is  addressed  in  individual 
sections  within  the  Manual. 

Cyber  Security  Task  Force:  Public-Private  Information  Sharing 

http://bipartisanpolicy.org/sites/default/files/Public- 

Private%20lnformation%20Sharing.pdf 

Bipartisan  Policy 
Center 

July  2012 

24 

Outlines  a  series  of  proposals  that  would 
enhance  information  sharing.  The 
recommendations  have  two  major 
components:  (1)  mitigation  of  perceived  legal 
impediments  to  information  sharing,  and  (2) 
incentivizing  private  sector  information  sharing 
by  alleviating  statutory  and  regulatory 
obstacles. 
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Title 


Cyber-security:  The  Vexed  Question  of  Global  Rules:  An  Independent  Report 
on  Cyber-Preparedness  Around  the  World 

http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-20 1 0.pdf 

Mission  Critical:  A  Public-Private  Strategy  for  Effective  Cybersecurity 

http://businessroundtable.org/uploads/studies-reports/downloads/ 

20 1  l_IO_Mission_Critical_A_Public- 
Private_Strategy_for_Effective_Cybersecurity_4_20_l  2.pdf 


Twenty  Critical  Security  Controls  for  Effective  Cyber  Defense:  Consensus 
Audit  Guidelines  (CAG) 

http://www.sans.org/critical-security-controls/ 

World  Cybersecurity  Technology  Research  Summit  (Belfast  2011) 
http://www.csit.qub.ac.uk/lnnovationatCSIT/Reports/Filetoupload, 295594.en.pdf 
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Source 

Date 

Pages 

Notes 

McAfee  and  the 
Security  Defense 
Agenda 

February 

2012 

108 

The  report  examines  the  current  state  of 
cyber-preparedness  around  the  world,  and  is 
based  on  survey  results  from  80  policy-makers 
and  cybersecurity  experts  in  the  government, 
business,  and  academic  sectors  from  27 
countries.  The  countries  were  ranked  on  their 
state  of  cyber-preparedness. 

Business 

Roundtable 

October 

1  1,  201  1 

28 

According  to  the  report,  “[pjublic  policy 
solutions  must  recognize  the  absolute 
importance  of  leveraging  policy  foundations 
that  support  effective  global  risk  management, 
in  contrast  to  “check-the-box”  compliance 
approaches  that  can  undermine  security  and 
cooperation.  The  document  concludes  with 
specific  policy  proposals  and  activity 
commitments. 

SANS 

October 

3,  201  1 

77 

The  20  critical  security  control  measures  are 
intended  to  focus  agencies  and  large 
enterprises”  limited  resources  by  plugging  the 
most  common  attack  vectors. 

Centre  for  Secure 
Information 
Technologies  (CSIT) 

September 
12,  201  1 

14 

The  Belfast  201  1  event  attracted  international 
cyber  security  experts  from  leading  research 
institutes,  government  bodies,  and  industry 

who  gathered  to  discuss  current  cyber  security 
threats,  predict  future  threats  and  the 
necessary  mitigation  techniques,  and  to 
develop  a  collective  strategy  for  next  research. 


Title 


A  Review  of  Frequently  Used  Cyber  Analogies 

http://www.nsci-va.org/WhitePapers/20 1  I  -07-22-Cyber-Analogies-Whitepaper- 
K-McKee.pdf 


America’s  Cyber  Future:  Security  and  Prosperity  in  the  Information  Age 
http://www.cnas.org/node/6405 


Resilience  of  the  Internet  Interconnection  Ecosystem 

http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-report 


Improving  our  Nation’s  Cybersecurity  through  the  Public-Private  Partnership: 
A  White  Paper 

http://www.cdt.org/files/pdfs/20 1  1 0308_cbyersec_paper.pdf 
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Source 


Date  Pages 


Notes 


National  Security  July  22,  7 

Cyberspace  201  I 

Institute 


Center  for  a  New  June  I,  296 

American  Security  2011 


European  Network  April  I  I,  238 

and  Information  201  I 

Security  Agency 
(ENISA) 


Business  Software  March  8,  26 

Alliance,  Center  for  201  I 

Democracy  & 

Technology,  U.S. 

Chamber  of 
Commerce, 

Internet  Security 
Alliance,  Tech 
America 


The  current  cybersecurity  crisis  can  be 
described  several  ways  with  numerous 
metaphors.  Many  compare  the  current  crisis 
with  the  lawlessness  to  that  of  the  Wild  West 
and  the  out-dated  tactics  and  race  to  security 
with  the  Cold  War.  When  treated  as  a 
distressed  ecosystem,  the  work  of  both 
national  and  international  agencies  to  eradicate 
many  infectious  diseases  serves  as  a  model  as 
how  poor  health  can  be  corrected  with  proper 
resources  and  execution.  Before  these  issues 
are  discussed,  what  cyberspace  actually  is  must 
be  identified. 

To  help  U.S.  policymakers  address  the  growing 
danger  of  cyber  insecurity,  this  two-volume 
report  features  chapters  on  cyber  security 
strategy,  policy,  and  technology  by  some  of  the 
world’s  leading  experts  on  international 
relations,  national  security,  and  information 
technology. 

Part  I:  Summary  and  Recommendations;  Part  II: 
State  of  the  Art  Review  (a  detailed  description 
of  the  Internet’s  routing  mechanisms  and 
analysis  of  their  robustness  at  the  technical, 
economic  and  policy  levels.);  Part  III:  Report 
on  the  Consultation  (a  broad  range  of 
stakeholders  were  consulted.  This  part  reports 
on  the  consultation  and  summarizes  the 
results).  Part  IV:  Bibliography  and  Appendices. 

This  paper  proposes  expanding  the  existing 
partnership  within  the  framework  of  the 
National  Infrastructure  Protection  Plan. 
Specifically,  it  makes  a  series  of 
recommendations  that  build  upon  the 
conclusions  of  President  Obama’s  Cyberspace 
Policy  Review. 


Title 


Cybersecurity  Two  Years  Later 
http://csis.org/files/publication/ 

I  1 01 28_Lewis_CybersecurityTwoYearsLater_Web.pdf 

Toward  Better  Usability,  Security,  and  Privacy  of  Information  Technology: 
Report  of  a  Workshop 

http://www.nap.edu/catalog.php?record_id=  1 2998 


National  Security  Threats  in  Cyberspace 

http://nationalstrategy.eom/Portals/O/documents/ 

National%20Security%20Threats%20in%20Cyberspace.pdf 


Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Source 

Date 

Pages 

Notes 

CSIS  Commission 
on  Cybersecurity 
for  the  44th 
Presidency,  Center 
for  Strategic  and 
International  Studies 

January 

201  1 

22 

From  the  report:  “We  thought  then  [in  2008] 
that  securing  cyberspace  had  become  a  critical 
challenge  for  national  security,  which  our 
nation  was  not  prepared  to  meet....  In  our 
view,  we  are  still  not  prepared.” 

National  Research 
Council 

September 
21,  2010 

70 

Discusses  computer  system  security  and 
privacy,  their  relationship  to  usability,  and 

research  at  their  intersection.  This  is  drawn 
from  remarks  made  at  the  National  Research 
Council’s  July  2009  Workshop  on  Usability, 
Security  and  Privacy  of  Computer  Systems  as  well 
as  recent  reports  from  the  NRC's  Computer 
Science  and  Telecommunications  Board  on 
security  and  privacy. 

September  37  The  two-day  workshop  brought  together 

1 5,  2009  more  than  two  dozen  experts  with  diverse 

backgrounds:  physicists;  telecommunications 
executives;  Silicon  Valley  entrepreneurs; 
federal  law  enforcement,  military,  homeland 
security,  and  intelligence  officials;  congressional 
staffers;  and  civil  liberties  advocates.  For  two 
days  they  engaged  in  an  open-ended  discussion 
of  cyber  policy  as  it  relates  to  national  security, 
under  Chatham  House  Rules:  their  comments 
were  for  the  public  record,  but  they  were  not 
for  attribution. 


Joint  Workshop  of 
the  National 
Security  Threats  in 
Cyberspace  and  the 
National  Strategy 
Forum 


Table  20.  Selected  Government  Reports:  Government  Accountability  Office  (GAO) 


Title 

Date 

Pages 

Notes 

Outcome-Based  Measures  Would  Assist  DHS  in  Assessing 
Effectiveness  of  Cybersecurity  Efforts 

http://www.gao.gov/products/GAO- 1 3-275?source=ra 

April  1  1, 2013 

45 

Until  the  Department  of  Homeland  Security  and  its  sector  partners  develop 
appropriate  outcome-oriented  metrics,  it  will  be  difficult  to  gauge  the 
effectiveness  of  efforts  to  protect  the  nation’s  core  and  access 
communications  networks  and  critical  support  components  of  the  Internet 
from  cyber  incidents.  While  no  cyber  incidents  have  been  reported  affecting 
the  nation’s  core  and  access  networks,  communications  networks  operators 
can  use  reporting  mechanisms  established  by  FCC  and  DHS  to  share 
information  on  outages  and  incidents. 

Cybersecurity:  A  Better  Defined  and  Implemented 

National  Strategy  Is  Needed  to  Address  Persistent 
Challenges 

http://www.gao.gov/products/GAO- 1 3-462T 

March  7,  2013 

36 

“[AJIthough  federal  law  assigns  the  Office  of  Management  and  Budget  (OMB) 
responsibility  for  oversight  of  federal  government  information  security,  OMB 
recently  transferred  several  of  these  responsibilities  to  DHS....  [I]t  remains 
unclear  how  OMB  and  DHS  are  to  share  oversight  of  individual  departments 
and  agencies.  Additional  legislation  could  clarify  these  responsibilities.” 

2013  High  Risk  List 

http://www.gao.gov/highrisk#t=0 

February  14,  201  3 

275 

Every  two  years  at  the  start  of  a  new  Congress,  GAO  calls  attention  to 
agencies  and  program  areas  that  are  high  risk  due  to  their  vulnerabilities  to 
fraud,  waste,  abuse,  and  mismanagement,  or  are  most  in  need  of 
transformation.  Cybersecurity  programs  on  the  list  include:  Protecting  the 

Federal  Government's  Information  Systems  and  the  Nation's  Cyber  Critical 
Infrastructures  and  Ensuring  the  Effective  Protection  of  Technologies  Critical  to  U.S. 
National  Security  Interests. 

Cybersecurity:  National  Strategy,  Roles,  and 

Responsibilities  Need  to  Be  Better  Defined  and  More 
Effectively  Implemented 

http://www.gao.gov/products/GAO- 13-187 

February  14,  201  3 

1  12 

GAO  recommends  that  the  White  House  Cybersecurity  Coordinator  develop 
an  overarching  federal  cybersecurity  strategy  that  includes  all  key  elements  of 
the  desirable  characteristics  of  a  national  strategy.  Such  a  strategy  would 
provide  a  more  effective  framework  for  implementing  cybersecurity  activities 
and  better  ensure  that  such  activities  will  lead  to  progress  in  cybersecurity. 

Information  Security:  Federal  Communications 

Commission  Needs  to  Strengthen  Controls  over  Enhanced 
Secured  Network  Project 

http://www.gao.gov/products/GAO- 13-155 

January  25,  20 1 3 

35 

“The  FCC  did  not  effectively  implement  appropriate  information  security 
controls  in  the  initial  components  of  the  Enhanced  Secured  Network  (ESN) 
project....  Weaknesses  identified  in  the  commission’s  deployment  of 
components  of  the  ESN  project  as  of  August  2012  resulted  in  unnecessary  risk 
that  sensitive  information  could  be  disclosed,  modified,  or  obtained  without 
authorization.  GAO  is  making  seven  recommendations  to  the  FCC  to 
implement  management  controls  to  help  ensure  that  ESN  meets  its  objective 
of  securing  FCC's  systems  and  information.” 

Cybersecurity:  Challenges  in  Securing  the  Electricity  Grid 

http://www.gao.gov/products/GAO- 1 2-926T 

July  17,  2012 

25 

In  a  prior  report,  GAO  has  made  recommendations  related  to  electricity  grid 
modernization  efforts,  including  developing  an  approach  to  monitor 
compliance  with  voluntary  standards.  These  recommendations  have  not  yet 
been  implemented. 
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Title 

Date 

Pages 

Notes 

Information  Technology  Reform:  Progress  Made  but 

Future  Cloud  Computing  Efforts  Should  be  Better  Planned 

http://www.gao.gov/products/GAO- 1 2-756 

July  1  1, 2012 

43 

To  help  ensure  the  success  of  agencies’  implementation  of  cloud-based 
solutions,  the  Secretaries  of  Agriculture,  Health  and  Human  Services, 

Homeland  Security,  State,  and  the  Treasury,  and  the  Administrators  of  the 
General  Services  Administration  and  Small  Business  Administration  should 
direct  their  respective  chief  information  officer  (CIO)  to  establish  estimated 
costs,  performance  goals,  and  plans  to  retire  associated  legacy  systems  for 
each  cloud-based  service  discussed  in  this  report,  as  applicable. 

DOD  Actions  Needed  to  Strengthen  Management  and 
Oversight 

http://www.gao.gov/products/GAO- 1 2-479?source=ra 

July  9,  2012 

46 

DOD’s  oversight  of  electronic  warfare  capabilities  may  be  further  complicated 
by  its  evolving  relationship  with  computer  network  operations,  which  is  also 
an  information  operations-related  capability.  Without  clearly  defined  roles  and 
responsibilities  and  updated  guidance  regarding  oversight  responsibilities, 

DOD  does  not  have  reasonable  assurance  that  its  management  structures  will 
provide  effective  department-wide  leadership  for  electronic  warfare  activities 
and  capabilities  development  and  ensure  effective  and  efficient  use  of  its 
resources. 

Information  Security:  Cyber  Threats  Facilitate  Ability  to 
Commit  Economic  Espionage 

http://www.gao.gov/products/GAO- 1 2-876T 

June  28,  2012 

20 

This  statement  discusses  (1)  cyber  threats  facing  the  nation’s  systems,  (2) 
reported  cyber  incidents  and  their  impacts,  (3)  security  controls  and  other 
techniques  available  for  reducing  risk,  and  (4)  the  responsibilities  of  key  federal 
entities  in  support  of  protecting  IP. 

Cybersecurity:  Challenges  to  Securing  the  Modernized 
Electricity  Grid 

http://www.gao.gov/products/GAO- 1 2-507T 

February  28,  2012 

19 

As  GAO  reported  in  January  2011,  securing  smart  grid  systems  and  networks 
presented  a  number  of  key  challenges  that  required  attention  by  government 
and  industry.  GAO  made  several  recommendations  to  the  Federal  Energy 
Regulatory  Commission  (FERC)  aimed  at  addressing  these  challenges.  The 
commission  agreed  with  these  recommendations  and  described  steps  it  is 
taking  to  implement  them. 

Critical  Infrastructure  Protection:  Cybersecurity  Guidance 

Is  Available,  but  More  Can  Be  Done  to  Promote  Its  Use 

http://www.gao.gov/products/GAO- 1 2-92 

December  9,  20 1  1 

77 

Given  the  plethora  of  guidance  available,  individual  entities  within  the  sectors 
may  be  challenged  in  identifying  the  guidance  that  is  most  applicable  and 
effective  in  improving  their  security  posture.  Improved  knowledge  of  the 
guidance  that  is  available  could  help  both  federal  and  private  sector  decision 
makers  better  coordinate  their  efforts  to  protect  critical  cyber-reliant  assets. 

Cybersecurity  Human  Capital:  Initiatives  Need  Better 
Planning  and  Coordination 

http://www.gao.gov/products/GAO- 1 2-8 

November  29,  20 1  1 

86 

All  the  agencies  GAO  reviewed  faced  challenges  determining  the  size  of  their 
cybersecurity  workforce  because  of  variations  in  how  work  is  defined  and  the 
lack  of  an  occupational  series  specific  to  cybersecurity.  With  respect  to  other 
workforce  planning  practices,  all  agencies  had  defined  roles  and  responsibilities 
for  their  cybersecurity  workforce,  but  these  roles  did  not  always  align  with 
guidelines  issued  by  the  federal  Chief  Information  Officers  Council  (CIOC) 
and  National  Institute  of  Standards  and  Technology  (NIST). 
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Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

http://www.gao.gov/products/GAO- 1  1  -634 

October  17,  201  1 

72 

GAO  is  recommending  that  OMB  update  its  guidance  to  establish  measures  of 
accountability  for  ensuring  that  CIOs’  responsibilities  are  fully  implemented 
and  require  agencies  to  establish  internal  processes  for  documenting  lessons 
learned. 

Information  Security:  Additional  Guidance  Needed  to 
Address  Cloud  Computing  Concerns 

http://www.gao.gov/products/GAO- 1 2- 1 30T 

October  5,  20 1  1 

17 

Twenty-two  of  24  major  federal  agencies  reported  that  they  were  either 
concerned  or  very  concerned  about  the  potential  information  security  risks 
associated  with  cloud  computing.  GAO  recommended  that  the  NIST  issue 
guidance  specific  to  cloud  computing  security. 

Information  Security:  Weaknesses  Continue  Amid  New 
Federal  Efforts  to  Implement  Requirements 

http://www.gao.gov/products/GAO- 12-137 

October  3,  20 1  1 

49 

Weaknesses  in  information  security  policies  and  practices  at  24  major  federal 
agencies  continue  to  place  the  confidentiality,  integrity,  and  availability  of 
sensitive  information  and  information  systems  at  risk.  Consistent  with  this 
risk,  reports  of  security  incidents  from  federal  agencies  are  on  the  rise, 
increasing  over  650%  over  the  past  5  years.  Each  of  the  24  agencies  reviewed 
had  weaknesses  in  information  security  controls. 

Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

http://www.gao.gov/products/GAO- 1  1  -634 

October  17,  201  1 

72 

GAO  is  recommending  that  the  Office  of  Management  and  Budget  (OMB) 
update  its  guidance  to  establish  measures  of  accountability  for  ensuring  that 
CIOs’  responsibilities  are  fully  implemented  and  require  agencies  to  establish 
internal  processes  for  documenting  lessons  learned. 

Defense  Department  Cyber  Efforts:  Definitions,  Focal 

Point,  and  Methodology  Needed  for  DOD  to  Develop 
Full-Spectrum  Cyberspace  Budget  Estimates 

http://www.gao.gov/products/GAO- 1  1 -695R 

July  29,  201  1 

33 

This  letter  discusses  the  Department  of  Defense’s  cyber  and  information 
assurance  budget  for  FY20I2  and  future  years  defense  spending.  The 
objectives  of  this  review  were  to  (1)  assess  the  extent  to  which  DOD  has 
prepared  an  overarching  budget  estimate  for  full-spectrum  cyberspace 
operations  across  the  department  and  (2)  identify  the  challenges  DOD  has 
faced  in  providing  such  estimates. 

Continued  Attention  Needed  to  Protect  Our  Nation’s 
Critical  Infrastructure 

http://www.gao.gov/products/GAO- 1  1 -463T 

July  26,  201  1 

20 

A  number  of  significant  challenges  remain  to  enhancing  the  security  of  cyber- 
reliant  critical  infrastructures,  such  as  (1)  implementing  actions  recommended 
by  the  President's  cybersecurity  policy  review;  (2)  updating  the  national 
strategy  for  securing  the  information  and  communications  infrastructure; 

(3)  reassessing  DHS's  planning  approach  to  critical  infrastructure  protection; 

(4)  strengthening  public-private  partnerships,  particularly  for  information 
sharing;  (5)  enhancing  the  national  capability  for  cyber  warning  and  analysis; 

(6)  addressing  global  aspects  of  cybersecurity  and  governance;  and  (7)  securing 
the  modernized  electricity  grid. 

Defense  Department  Cyber  Efforts:  DOD  Faces 

Challenges  in  Its  Cyber  Activities 

http://www.gao.gov/products/GAO- 1  1  -75 

July  25,  201  1 

79 

GAO  recommends  that  DOD  evaluate  how  it  is  organized  to  address 
cybersecurity  threats;  assess  the  extent  to  which  it  has  developed  joint 
doctrine  that  addresses  cyberspace  operations;  examine  how  it  assigned 
command  and  control  responsibilities;  and  determine  how  it  identifies  and  acts 
to  mitigate  key  capability  gaps  involving  cyberspace  operations. 
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Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

http://www.gao.gov/products/GAO- 1 0-628 

August  1 6,  20 1 0 

38 

The  Special  Assistant  to  the  President  and  Cybersecurity  Coordinator  and  the 
Secretary  of  Homeland  Security  should  take  two  actions:  (1)  use  the  results  of 
this  report  to  focus  their  information-sharing  efforts,  including  their  relevant 
pilot  projects,  on  the  most  desired  services,  including  providing  timely  and 
actionable  threat  and  alert  information,  access  to  sensitive  or  classified 
information,  a  secure  mechanism  for  sharing  information,  and  security 
clearance  and  (2)  bolster  the  efforts  to  build  out  the  National  Cybersecurity 
and  Communications  Integration  Center  as  the  central  focal  point  for 
leveraging  and  integrating  the  capabilities  of  the  private  sector,  civilian 
government,  law  enforcement,  the  military,  and  the  intelligence  community. 

Information  Security:  State  Has  Taken  Steps  to  Implement 
a  Continuous  Monitoring  Application,  but  Key  Challenges 
Remain 

http://www.gao.gov/products/GAO- 1  1-149 

July  8,  201  1 

63 

The  Department  of  State  implemented  a  custom  application  called  iPost  and  a 
risk  scoring  program  that  is  intended  to  provide  continuous  monitoring 
capabilities  of  information  security  risk  to  elements  of  its  information 
technology  (IT)  infrastructure.  To  improve  implementation  of  iPost  at  State, 
the  Secretary  of  State  should  direct  the  Chief  Information  Officer  to  develop, 
document,  and  maintain  an  iPost  configuration  management  and  test  process. 

Cybersecurity:  Continued  Attention  Needed  to  Protect 

Our  Nation’s  Critical  Infrastructure  and  Federal 

Information  Systems 

http://www.gao.gov/products/GAO- 1  1 -463T 

March  16,  201  1 

16 

Executive  branch  agencies  have  made  progress  instituting  several  government¬ 
wide  initiatives  aimed  at  bolstering  aspects  of  federal  cybersecurity,  such  as 
reducing  the  number  of  federal  access  points  to  the  Internet,  establishing 
security  configurations  for  desktop  computers,  and  enhancing  situational 
awareness  of  cyber  events.  Despite  these  efforts,  the  federal  government 
continues  to  face  significant  challenges  in  protecting  the  nation's  cyber-reliant 
critical  infrastructure  and  federal  information  systems. 

Electricity  Grid  Modernization:  Progress  Being  Made  on 
Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to 
be  Addressed 

http://www.gao.gov/products/GAO-l  l-l  17 

January  1 2,  20 1  1 

50 

GAO  identified  six  key  challenges:  (1)  Aspects  of  the  regulatory  environment 
may  make  it  difficult  to  ensure  smart  grid  systems’  cybersecurity.  (2)  Utilities 
are  focusing  on  regulatory  compliance  instead  of  comprehensive  security.  (3) 

The  electric  industry  does  not  have  an  effective  mechanism  for  sharing 
information  on  cybersecurity.  (4)  Consumers  are  not  adequately  informed 
about  the  benefits,  costs,  and  risks  associated  with  smart  grid  systems.  (5) 

There  is  a  lack  of  security  features  being  built  into  certain  smart  grid  systems. 

(6)  The  electricity  industry  does  not  have  metrics  for  evaluating  cybersecurity. 

Information  Security:  Federal  Agencies  Have  Taken  Steps 
to  Secure  Wireless  Networks,  but  Further  Actions  Can 
Mitigate  Risk 

http://www.gao.gov/products/GAO- 1  1  -43 

November  30,  20 1 0 

50 

Existing  government-wide  guidelines  and  oversight  efforts  do  not  fully  address 
agency  implementation  of  leading  wireless  security  practices.  Until  agencies 
take  steps  to  better  implement  these  leading  practices,  and  OMB  takes  steps 
to  improve  government-wide  oversight,  wireless  networks  will  remain  at  an 
increased  vulnerability  to  attack. 
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Cyberspace  Policy:  Executive  Branch  Is  Making  Progress 
Implementing  2009  Policy  Review  Recommendations,  but 
Sustained  Leadership  Is  Needed 

http://www.gao.gov/products/GAO- 1  1  -24 

October  6,  20 1 0 

66 

Of  the  24  recommendations  in  the  President’s  May  2009  cyber  policy  review 
report,  2  have  been  fully  implemented,  and  22  have  been  partially 
implemented.  While  these  efforts  appear  to  be  steps  forward,  agencies  were 
largely  not  able  to  provide  milestones  and  plans  that  showed  when  and  how 
implementation  of  the  recommendations  was  to  occur. 

DHS  Efforts  to  Assess  and  Promote  Resiliency  Are 

Evolving  but  Program  Management  Could  Be  Strengthened 

http://www.gao.gov/products/GAO- 1 0-772 

September  23,  2010 

46 

The  Department  of  Homeland  Security  (DHS)  has  not  developed  an  effective 
way  to  ensure  that  critical  national  infrastructure,  such  as  electrical  grids  and 
telecommunications  networks,  can  bounce  back  from  a  disaster.  DHS  has 
conducted  surveys  and  vulnerability  assessments  of  critical  infrastructure  to 
identify  gaps,  but  has  not  developed  a  way  to  measure  whether  owners  and 
operators  of  that  infrastructure  adopt  measures  to  reduce  risks. 

Information  Security:  Progress  Made  on  Harmonizing 

Policies  and  Guidance  for  National  Security  and  Non- 
National  Security  Systems 

http://www.gao.gov/products/GAO- 1 0-9 1 6 

September  1 5,  20 1 0 

38 

OMB  and  NIST  established  policies  and  guidance  for  civilian  non-national 
security  systems,  while  other  organizations,  including  the  Committee  on 

National  Security  Systems  (CNSS),  DOD,  and  the  U.S.  intelligence  community, 
have  developed  policies  and  guidance  for  national  security  systems.  GAO  was 
asked  to  assess  the  progress  of  federal  efforts  to  harmonize  policies  and 
guidance  for  these  two  types  of  systems. 

United  States  Faces  Challenges  in  Addressing  Global 
Cybersecurity  and  Governance 

http://www.gao.gov/products/GAO- 1 0-606 

August  2,  20 1 0 

53 

GAO  recommends  that  the  Special  Assistant  to  the  President  and 

Cybersecurity  Coordinator  should  make  recommendations  to  appropriate 
agencies  and  interagency  coordination  committees  regarding  any  necessary 
changes  to  more  effectively  coordinate  and  forge  a  coherent  national 
approach  to  cyberspace  policy. 

Federal  Guidance  Needed  to  Address  Control  Issues  With 
Implementing  Cloud  Computing 

http://www.gao.gov/products/GAO- 1 0-5 1 3 

July  1,  2010 

53 

To  assist  federal  agencies  in  identifying  uses  for  cloud  computing  and 
information  security  measures  to  use  in  implementing  cloud  computing,  the 
Director  of  OMB  should  establish  milestones  for  completing  a  strategy  for 
implementing  the  federal  cloud  computing  initiative. 

Continued  Attention  Is  Needed  to  Protect  Federal 
Information  Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1 0-834t 

June  16,2010 

15 

Multiple  opportunities  exist  to  improve  federal  cybersecurity.  To  address 
identified  deficiencies  in  agencies’  security  controls  and  shortfalls  in  their 
information  security  programs,  GAO  and  agency  inspectors  general  have 
made  hundreds  of  recommendations  over  the  past  several  years,  many  of 
which  agencies  are  implementing.  In  addition,  the  White  House,  OMB,  and 
certain  federal  agencies  have  undertaken  several  government-wide  initiatives 
intended  to  enhance  information  security  at  federal  agencies.  While  progress 
has  been  made  on  these  initiatives,  they  all  face  challenges  that  require 
sustained  attention,  and  GAO  has  made  several  recommendations  for 
improving  the  implementation  and  effectiveness  of  these  initiatives. 
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Information  Security:  Concerted  Response  Needed  to 
Resolve  Persistent  Weaknesses 

http://www.gao.gov/products/GAO- 1 0-536t 

March  24,  2010 

21 

Without  proper  safeguards,  federal  computer  systems  are  vulnerable  to 
intrusions  by  individuals  who  have  malicious  intentions  and  can  obtain 
sensitive  information.  The  need  for  a  vigilant  approach  to  information  security 
has  been  demonstrated  by  the  pervasive  and  sustained  cyber  attacks  against 
the  United  States;  these  attacks  continue  to  pose  a  potentially  devastating 
impact  to  systems  and  the  operations  and  critical  infrastructures  they  support. 

Cybersecurity:  Continued  Attention  Is  Needed  to  Protect 
Federal  Information  Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1  1 -463T 

March  16,  2010 

15 

The  White  House,  the  Office  of  Management  and  Budget,  and  certain  federal 
agencies  have  undertaken  several  government-wide  initiatives  intended  to 
enhance  information  security  at  federal  agencies.  While  progress  has  been 
made  on  these  initiatives,  they  all  face  challenges  that  require  sustained 
attention,  and  GAO  has  made  several  recommendations  for  improving  the 
implementation  and  effectiveness  of  these  initiatives. 

Concerted  Effort  Needed  to  Consolidate  and  Secure 
Internet  Connections  at  Federal  Agencies 

http://www.gao.gov/products/GAO- 1 0-237 

April  12,  2010 

40 

To  reduce  the  threat  to  federal  systems  and  operations  posed  by  cyber 
attacks  on  the  United  States,  OMB  launched,  in  November  2007,  the  Trusted 
Internet  Connections  (TIC)  initiative,  and  later,  in  2008,  DHS’s  National 
Cybersecurity  Protection  System  (NCPS),  operationally  known  as  Einstein, 
which  became  mandatory  for  federal  agencies  as  part  of  TIC.  To  further 
ensure  that  federal  agencies  have  adequate,  sufficient,  and  timely  information 
to  successfully  meet  the  goals  and  objectives  of  the  TIC  and  Einstein 
programs,  DHS’s  Secretary  should,  to  better  understand  whether  Einstein 
alerts  are  valid,  develop  additional  performance  measures  that  indicate  how 
agencies  respond  to  alerts. 

Cybersecurity:  Progress  Made  But  Challenges  Remain  in 
Defining  and  Coordinating  the  Comprehensive  National 
Initiative 

http://www.gao.gov/products/GAO- 1 0-338 

March  5,  2010 

64 

To  address  strategic  challenges  in  areas  that  are  not  the  subject  of  existing 
projects  within  CNCI  but  remain  key  to  achieving  the  initiative’s  overall  goal 
of  securing  federal  information  systems,  OMB’s  Director  should  continue 
developing  a  strategic  approach  to  identity  management  and  authentication, 
linked  to  HSPD-12  implementation,  as  initially  described  in  the  CIOC's  plan 
for  implementing  federal  identity,  credential,  and  access  management,  so  as  to 
provide  greater  assurance  that  only  authorized  individuals  and  entities  can  gain 
access  to  federal  information  systems. 

Continued  Efforts  Are  Needed  to  Protect  Information 
Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1 0-230t 

November  17,  2009 

24 

GAO  has  identified  weaknesses  in  all  major  categories  of  information  security 
controls  at  federal  agencies.  For  example,  in  FY2008,  weaknesses  were 
reported  in  such  controls  at  23  of  24  major  agencies.  Specifically,  agencies  did 
not  consistently  authenticate  users  to  prevent  unauthorized  access  to  systems; 
apply  encryption  to  protect  sensitive  data;  and  log,  audit,  and  monitor 
security-relevant  events,  among  other  actions. 
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Efforts  to  Improve  Information  sharing  Need  to  Be 
Strengthened 

http://www.gao.gov/products/GAO-03-760 

August  27,  2003 

59 

Information  on  threats,  methods,  and  techniques  of  terrorists  is  not  routinely 
shared;  and  the  information  that  is  shared  is  not  perceived  as  timely,  accurate, 
or  relevant. 

Source:  Highlights  compiled  by  CRS  from  the  GAO  reports. 
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Improving  Cybersecurity 

http://technology.performance.gov/initiative/ensure- 

cybersecurity/home 

March  2013 

N/A 

The  Administration  updated  all  14  cross-agency  priority  goals  on  the 
Performance.gov  portal,  giving  all  new  targets  for  agencies  to  hit  over  the 
next  two  years.  The  Office  of  Management  and  Budget  also  is  using  the 
opportunity  to  better  connect  agency  performance  improvement  officers 
to  the  Trusted  Internet  Connections  and  Homeland  Security. 

FY  2012  Report  to  Congress  on  the  Implementation  of  the 

Federal  Information  Security  Management  Act  of  2002 

http://www.whitehouse.gov/sites/default/files/omb/assets/ 
egov_docs/fy  1 2_fisma.pdf 

March  2013 

68 

More  government  programs  violated  data  security  law  standards  in  2012 
than  in  the  previous  year,  and  at  the  same  time,  computer  security  costs 
have  increased  by  more  than  $1  billion.  Inadequate  training  was  a  large 
part  of  the  reason  all-around  FISMA  adherence  scores  slipped  from  75% 
in  201  1  to  74%  in  2012.  Agencies  reported  that  about  88%  of  personnel 
with  system  access  privileges  received  annual  security  awareness 
instruction,  down  from  99%  in  201  1.  Meanwhile,  personnel  expenses 
accounted  for  the  vast  majority — 90% — of  the  $14.6  billion  departments 
spent  on  information  technology  security  in  2012. 

Administration  Strategy  for  Mitigating  the  Theft  of  U.S.  Trade 
Secrets 

http://www.whiteh0use.g0v//sites/default/files/0mb/IPEC/ 

admin  strategy  on  mitigating  the  theft  of  u.s.  trade  secrets. p 

df 

February  20, 

2013 

141 

“First,  we  will  increase  our  diplomatic  engagement....  Second,  we  will 
support  industry-led  efforts  to  develop  best  practices  to  protect  trade 
secrets  and  encourage  companies  to  share  with  each  other  best  practices 
that  can  mitigate  the  risk  of  trade  secret  theft....  Third,  DOJ  will  continue 
to  make  the  investigation  and  prosecution  of  trade  secret  theft  by  foreign 
competitors  and  foreign  governments  a  top  priority....  Fourth,  President 
Obama  recently  signed  two  pieces  of  legislation  that  will  improve 
enforcement  against  trade  secret  theft....  Lastly,  we  will  increase  public 
awareness  of  the  threats  and  risks  to  the  U.S.  economy  posed  by  trade 
secret  theft.” 

National  Strategy  for  Information  Sharing  and  Safeguarding 

http://www.whitehouse.gov/sites/default/files/docs/ 

20 1 2sharingstrategy_l  .pdf 

December  20 1 2 

24 

Provides  guidance  for  effective  development,  integration,  and 
implementation  of  policies,  processes,  standards,  and  technologies  to 
promote  secure  and  responsible  information  sharing. 

Can  the  President  Deal  with  Cybersecurity  Issues  via  Executive 
Order? 

October  19, 

2012 

N/A 

When  it  comes  to  executive  orders  and  emerging  areas  of  law,  the  initial 
question  that  is  always  raised  is  whether  the  President  has  the  authority 
to  issue  the  executive  order  in  the  specified  area — in  this  instance, 
cybersecurity.  Not  surprisingly,  the  answer  is  “it  depends.” 

Source:  CRS  Legal  Sidebar. 
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Collaborative  and  Cross-Cutting  Approaches  to  Cybersecurity 

http://www.whitehouse.gov/blog/20 1 2/08/0 1  /collaborative-and- 
cross-cutting-approaches-cybersecurity 

August  1,  2012 

N/A 

Michael  Daniel,  White  House  Cybersecurity  Coordinator,  highlights  a 
few  recent  initiatives  where  voluntary,  cooperative  actions  are  helping  to 
improve  the  nation’s  overall  cybersecurity. 

T rustworthy  Cyberspace:  Strategic  Plan  for  the  Federal 
Cybersecurity  Research  and  Development  Program 

http://www.whitehouse.gov/sites/default/files/microsites/ostp/ 
fed_cybersecurity_rd_strategic_plan_20 1  1  .pdf 

December  6, 

201  1 

36 

As  a  research  and  development  strategy,  this  plan  defines  four  strategic 
thrusts:  Inducing  Change;  Developing  Scientific  Foundations;  Maximizing 
Research  Impact;  and  Accelerating  Transition  to  Practice. 

Structural  Reforms  to  Improve  the  Security  of  Classified 

Networks  and  the  Responsible  Sharing  and  Safeguarding  of 
Classified  Information 

http://www.whitehouse.gov/the-press-office/20 1  1  / 1 0/07/ 

executive-order-structural-reforms-improve-security-classified- 

networks- 

October  7,  201  1 

N/A 

President  Obama  signed  an  executive  order  outlining  data  security 
measures  and  rules  for  government  agencies  to  follow  to  prevent  further 
data  leaks  by  insiders.  The  order  included  the  creation  of  a  senior 
steering  committee  that  will  oversee  the  safeguarding  and  sharing  of 
information. 

FY  2012  Reporting  Instructions  for  the  Federal  Information 
Security  Management  Act  and  Agency  Privacy  Management3 

http://www.whitehouse.gov/sites/default/files/omb/memoranda/ 

201  1 /ml  l-33.pdf 

September  14, 

201  1 

29 

Rather  than  enforcing  a  static,  three-year  reauthorization  process, 
agencies  are  expected  to  conduct  ongoing  authorizations  of  information 
systems  through  the  implementation  of  continuous  monitoring  programs. 
Continuous  monitoring  programs  thus  fulfill  the  three  year  security 
reauthorization  requirement,  so  a  separate  re-authorization  process  is 
not  necessary. 

International  Strategy  for  Cyberspace 

http://www.whitehouse.gov/sites/default/files/rss_viewer/ 

international_strategy_for_cyberspace.pdf 

May  16,  201  1 

30 

The  strategy  marks  the  first  time  any  administration  has  attempted  to  set 
forth  in  one  document  the  U.S.  government’s  vision  for  cyberspace, 
including  goals  for  defense,  diplomacy,  and  international  development. 

Cybersecurity  Legislative  Proposal  (Fact  Sheet) 

http://www.whitehouse.gov/the-press-office/20 1  1  / 05/ 1 2/fact- 
sheet-cybersecurity-legislative-proposal 

May  12,  201  1 

N/A 

The  Administration’s  proposal  ensures  the  protection  of  individuals' 
privacy  and  civil  liberties  through  a  framework  designed  expressly  to 
address  the  challenges  of  cybersecurity.  The  Administration's  legislative 
proposal  includes:  Management,  Personnel,  Intrusion  Prevention  Systems, 
and  Data  Centers. 

Federal  Cloud  Computing  Strategy 

http://www.cio.gov/documents/Federal-Cloud-Computing- 

Strategy.pdf 

February  1 3, 

201  1 

43 

The  strategy  outlines  how  the  federal  government  can  accelerate  the 
safe,  secure  adoption  of  cloud  computing,  and  provides  agencies  with  a 
framework  for  migrating  to  the  cloud.  It  also  examines  how  agencies  can 
address  challenges  related  to  the  adoption  of  cloud  computing,  such  as 
privacy,  procurement,  standards,  and  governance. 
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25  Point  Implementation  Plan  to  Reform  Federal  Information  December  9, 

Technology  Management  2010 

http://www.cio.gov/documents/25-Point-lmplementation-Plan-to- 

Reform-Federal%20IT.pdf 

Clarifying  Cybersecurity  Responsibilities  July  6,  2010 

http://www.whitehouse.gov/sites/default/files/omb/assets/ 
memoranda_20 1 0/m  1 0-28.pdf 

The  National  Strategy  for  Trusted  Identities  in  Cyberspace:  June  25,  2010 

Creating  Options  for  Enhanced  Online  Security  and  Privacy 

h  ttp ://  www. dhs.gov/xlib  rary/as  sets/n  s_ti  c .  p  df 


Comprehensive  National  Cybersecurity  Initiative  (CNCI)  March  2,  2010 

http://www.whitehouse.gov/cybersecurity/comprehensive- 

national-cybersecurity-initiative 

Cyberspace  Policy  Review:  Assuring  a  Trusted  and  Resilient  May  29,  2009 

Communications  Infrastructure 

http://www.whitehouse.gov/assets/documents/ 

Cyberspace_Policy_Review_final.pdf 


Source:  Highlights  compiled  by  CRS  from  the  White  House  reports, 
a.  White  House  and  Office  of  Management  and  Budget. 
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40  The  plan’s  goals  are  to  reduce  the  number  of  federally  run  data  centers 

from  2,100  to  approximately  1,300,  rectify  or  cancel  one-third  of 
troubled  IT  projects,  and  require  federal  agencies  to  adopt  a  “cloud  first” 
strategy  in  which  they  will  move  at  least  one  system  to  a  hosted 
environment  within  a  year. 

39  This  memorandum  outlines  and  clarifies  the  respective  responsibilities 

and  activities  of  the  Office  of  Management  and  Budget  (OMB),  the 
Cybersecurity  Coordinator,  and  DHS,  in  particular  with  respect  to  the 
Federal  Government’s  implementation  of  the  Federal  Information 
Security  Management  Act  of  2002  (FISMA). 

39  The  NSTIC,  which  is  in  response  to  one  of  the  near  term  action  items  in 
the  President’s  Cyberspace  Policy  Review,  calls  for  the  creation  of  an 
online  environment,  or  an  Identity  Ecosystem,  where  individuals  and 
organizations  can  complete  online  transactions  with  confidence,  trusting 
the  identities  of  each  other  and  the  identities  of  the  infrastructure  where 
transaction  occur. 

5  The  CNCI  establishes  a  multi-pronged  approach  the  federal  government 

is  to  take  in  identifying  current  and  emerging  cyber  threats,  shoring  up 
current  and  future  telecommunications  and  cyber  vulnerabilities,  and 
responding  to  or  proactively  addressing  entities  that  wish  to  steal  or 
manipulate  protected  data  on  secure  federal  systems. 

76  The  President  directed  a  60-day,  comprehensive,  “clean-slate”  review  to 

assess  U.S.  policies  and  structures  for  cybersecurity.  The  review  team  of 
government  cybersecurity  experts  engaged  and  received  input  from  a 
broad  cross-section  of  industry,  academia,  the  civil  liberties  and  privacy 
communities,  state  governments,  international  partners,  and  the 
legislative  and  executive  branches.  This  paper  summarizes  the  review 
team’s  conclusions  and  outlines  the  beginning  of  the  way  forward  toward 
a  reliable,  resilient,  trustworthy  digital  infrastructure  for  the  future. 


Table  22.  Selected  Government  Reports:  Department  of  Defense  (DOD) 


Title 

Source 

Date 

Pages 

Notes 

Resilient  Military  Systems  and  the  Advanced  Cyber  Threat 

http://www.acq.osd.mil/dsb/reports/ 

ResilientMilitarySystems.CyberThreat.pdf 

Department  of 
Defense  Science 
Board 

January  20 1 3 

146 

The  report  states  that,  despite  numerous  Pentagon 
actions  to  parry  sophisticated  attacks  by  other  countries, 
efforts  are  “fragmented”  and  the  Defense  Department 
“is  not  prepared  to  defend  against  this  threat.”  The 
report  lays  out  a  scenario  in  which  cyberattacks  in 
conjunction  with  conventional  warfare  damaged  the 
ability  of  U.S.  forces  to  respond,  creating  confusion  on 
the  battlefield  and  weakening  traditional  defenses. 

FY  2012  Annual  Report 

http://www.dote.osd.mil/pub/reports/FY20 1 2/pdf/other/ 

20 1 2DOTEAnnualReport.pdf 

Department  of 
Defense 

January  20 1 3 

372 

Annual  report  to  Congress  by  J.  Michael  Gilmore, 
director  of  Operational  Test  and  Evaluation.  Assesses 
the  operational  effectiveness  of  systems  being  developed 
for  combat.  See  “Information  Assurance  (I/A)  and 
Interoperability  (IOP)”  chapter,  pages  305-3  12,  for 
information  on  network  exploitation  and  compromise 
exercises. 

Basic  Safeguarding  of  Contractor  Information  Systems 
(Proposed  Rule) 

http://www.gpo.gov/fdsys/pkg/FR-20 1 2-08-24/pdf/20 1 2- 
2088 1  .pdf 

Federal  Register 

August  24, 

2012 

4 

This  regulation  authored  by  the  DOD,  General  Services 
Administration  (GSA),  and  National  Aeronautics  and 

Space  Administration  (NASA)  “would  add  a  contract 
clause  to  address  requirements  for  the  basic  safeguarding 
of  contractor  information  systems  that  contain  or 
process  information  provided  by  or  generated  for  the 
government  (other  than  public  information).” 

DOD  Actions  Needed  to  Strengthen  Management  and 
Oversight 

http://www.gao.gov/products/GAO- 1 2-479?source=ra 

GAO 

July  9,  2012 

46 

DOD’s  oversight  of  electronic  warfare  capabilities  may 
be  further  complicated  by  its  evolving  relationship  with 
computer  network  operations,  which  is  also  an 
information  operations-related  capability.  Without 
clearly  defined  roles  and  responsibilities  and  updated 
guidance  regarding  oversight  responsibilities,  DOD  does 
not  have  reasonable  assurance  that  its  management 
structures  will  provide  effective  department-wide 
leadership  for  electronic  warfare  activities  and 
capabilities  development  and  ensure  effective  and 
efficient  use  of  its  resources. 
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Cloud  Computing  Strategy 

http://www.defense.gov/news/DoDCIoudComputingStrategy.pdf 

DOD,  Chief 
Information  Officer 

July  2012 

44 

The  DOD  Cloud  Computing  Strategy  introduces  an 
approach  to  move  the  department  from  the  current 
state  of  a  duplicative,  cumbersome,  and  costly  set  of 
application  silos  to  an  end  state,  which  is  an  agile,  secure, 
and  cost  effective  service  environment  that  can  rapidly 
respond  to  changing  mission  needs. 

DOD  Defense  Industrial  Base  (DIB)  Voluntary  Cyber  Security 
and  Information  Assurance  Activities 

http://www.gpo.gov/fdsys/pkg/FR-20 1 2-05- 1  1  /pdf/20 1 2- 
10651. pdf 

Federal  Register 

May  1  1,  2012 

DOD  interim  final  rule  to  establish  a  voluntary  cyber 
security  information  sharing  program  between  DOD  and 
eligible  DIB  companies.  The  program  enhances  and 
supplements  DIB  participants’  capabilities  to  safeguard 

DOD  information  that  resides  on,  or  transits,  DIB 
unclassified  information. 

DOD  Information  Security  Program:  Overview,  Classification, 
and  Declassification 

http://www.fas.org/sgp/othergov/dod/5200_0 1  v  1  .pdf 

DOD 

February  16, 
2012 

84 

Describes  the  DOD  Information  Security  Program,  and 
provides  guidance  for  classification  and  declassification  of 
DOD  information  that  requires  protection  in  the 
interest  of  the  national  security. 

Cyber  Sentries:  Preparing  Defenders  to  Win  in  a  Contested 
Domain 

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA56 1 779& 
Location=U2&doc=GetTRDoc.pdf 

Air  War  College 

February  7, 

2012 

38 

This  paper  examines  the  current  impediments  to 
effective  cybersecurity  workforce  preparation  and  offers 
new  concepts  to  create  Cyber  Sentries  through  realistic 
training,  network  authorities  tied  to  certification,  and 
ethical  training.  These  actions  present  an  opportunity  to 
significantly  enhance  workforce  quality  and  allow  the 
Department  to  operate  effectively  in  the  contested  cyber 
domain  in  accordance  with  the  vision  established  in  its 
Strategy  for  Cyberspace  Operations 

Defense  Department  Cyber  Efforts:  Definitions,  Focal  Point, 
and  Methodology  Needed  for  DOD  to  Develop  Full-Spectrum 
Cyberspace  Budget  Estimates 

http://www.gao.gov/products/GAO- 1  1 -695R 

General 

Accountability 

Office  (GAO) 

July  29,  201  1 

33 

This  letter  discusses  DOD’s  cyber  and  information 
assurance  budget  for  fiscal  year  2012  and  future  years 
defense  spending.  The  objectives  of  this  review  were  to 
(1)  assess  the  extent  to  which  DOD  has  prepared  an 
overarching  budget  estimate  for  full-spectrum  cyberspace 
operations  across  the  department;  and  (2)  identify  the 
challenges  DOD  has  faced  in  providing  such  estimates. 
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Date  Pages 


Legal  Reviews  of  Weapons  and  Cyber  Capabilities 

http://www.e-publishing.af.mil/shared/media/epubs/AFI5 1  - 
402.pdf 


Secretary  of  the  Air  July  27,  201  I 
Force 


Department  of  Defense  Strategy  for  Operating  in  Cyberspace  DOD  July  14,  201  I 

http://www.defense.gov/news/d20 1  1 07 1 4cyber.pdf 

Cyber  Operations  Personnel  Report  (DOD)  DOD  April,  2011 

http://www.hsdl.org/?view&did=488076 


Anomaly  Detection  at  Multiple  Scales  (ADAMS) 
http://info.publicintelligence.net/DARPA-ADAMS.pdf 


Defense  Advanced  November  9, 

Research  Projects  201  I 

Agency  (DARPA) 


Critical  Code:  Software  Producibility  for  Defense 
http://www.nap.edu/catalog.php?record_id=  1 2979 


National  Research  October  20, 

Council,  2010 

Committee  for 

Advancing 

Software-Intensive 

Systems 

Producibility 


7  States  the  Air  Force  must  subject  cyber  capabilities  to 
legal  review  for  compliance  with  the  Law  of  Armed 
Conflict  and  other  international  and  domestic  laws.  The 
Air  Force  judge  advocate  general  must  ensure  that  all 
cyber  capabilities  “being  developed,  bought,  built, 
modified  or  otherwise  acquired  by  the  Air  Force"  must 
undergo  legal  review — except  for  cyber  capabilities 
within  a  Special  Access  Program,  which  must  undergo 
review  by  the  Air  Force  general  counsel. 

19  This  is  an  unclassified  summary  of  DOD’s  cyber-security 
strategy. 

84  This  report  focuses  on  FY2009  Department  of  Defense 
Cyber  Operations  personnel,  with  duties  and 
responsibilities  as  defined  in  Section  934  of  the  Fiscal 
Year  2010  National  Defense  Authorization  Act  (NDAA). 
Appendix  A — Cyber  Operations-related  Military 
Occupations 

Appendix  B — Commercial  Certifications  Supporting  the 
DOD  Information  Assurance  Workforce  Improvement 
Program 

Appendix  C — Military  Services  Training  and 
Development 

Appendix  D — Geographic  Location  of  National  Centers 
of  Academic  Excellence  in  Information  Assurance 

74  The  design  document  was  produced  by  Allure  Security 
and  sponsored  by  the  Defense  Advanced  Research 
Projects  Agency  (DARPA).  It  describes  a  system  for 
preventing  leaks  by  seeding  believable  disinformation  in 
military  information  systems  to  help  identify  individuals 
attempting  to  access  and  disseminate  classified 
information. 

161  Assesses  the  nature  of  the  national  investment  in 

software  research  and,  in  particular,  considers  ways  to 
revitalize  the  knowledge  base  needed  to  design,  produce, 
and  employ  software-intensive  systems  for  tomorrow's 
defense  needs. 
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Defending  a  New  Domain 

http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/ 

defending-a-new-domain 

U.S.  Deputy 
Secretary  of 
Defense,  William  J. 
Lynn  (Foreign 

Affairs) 

September 

2010 

N/A 

In  2008,  the  U.S.  Department  of  Defense  suffered  a 
significant  compromise  of  its  classified  military  computer 
networks.  It  began  when  an  infected  flash  drive  was 
inserted  into  a  U.S.  military  laptop  at  a  base  in  the  Middle 
East.  This  previously  classified  incident  was  the  most 
significant  breach  of  U.S.  military  computers  ever,  and 
served  as  an  important  wake-up  call. 

The  QDR  in  Perspective:  Meeting  America’s  National  Security 
Needs  In  the  21st  Century  (QDR  Final  Report) 

http://www.usip.org/quadrennial-defense-review-independent- 

panel-/view-the-report 

Quadrennial 

Defense  Review 

July  30,  2010 

159 

From  the  report:  “The  expanding  cyber  mission  also 
needs  to  be  examined.  The  Department  of  Defense 
should  be  prepared  to  assist  civil  authorities  in  defending 
cyberspace  -  beyond  the  Department’s  current  role." 

Cyberspace  Operations:  Air  Force  Doctrine  Document  3-12 

http://www.e-publishing.af.mil/shared/media/epubs/afdd3- 1 2.pdf 

U.S.  Air  Force 

July  15,  2010 

62 

This  Air  Force  Doctrine  Document  (AFDD)  establishes 
doctrinal  guidance  for  the  employment  of  U.S.  Air  Force 
operations  in,  through,  and  from  cyberspace.  It  is  the 
keystone  of  Air  Force  operational-level  doctrine  for 
cyberspace  operations. 

DON  (Department  of  the  Navy)  Cybersecurity/Information 
Assurance  Workforce  Management,  Oversight  and  Compliance 

http://www.doncio.navy.mil/PolicyView.aspx?ID=  1 804 

U.S.  Navy 

June  17,2010 

14 

To  establish  policy  and  assign  responsibilities  for  the 
administration  of  the  Department  of  the  Navy  (DON) 
Cybersecurity  (CS)/lnformation  Assurance  Workforce 
(IAWF)  Management  Oversight  and  Compliance 

Program. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Title 

Source 
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Pages 

Notes 

Five  Pilot  Projects  Receive  Grants  to  Promote  Online  Security 
and  Privacy 

http://vwvw.nist.gov/itl/nstic-0920 1 2.cfm 

NIST 

September  20, 
2012 

N/A 

NIST  announced  more  than  $9  million  in  grant 
awards  to  support  the  National  Strategy  for  Trusted 
Identities  in  Cyberspace  (NSTIC).  Five  U.S. 
organizations  will  pilot  identity  solutions  that  increase 
confidence  in  online  transactions,  prevent  identity 
theft,  and  provide  individuals  with  more  control  over 
how  they  share  their  personal  information. 

Recommendations  for  Establishing  an  Identity  Ecosystem 
Governance  Structure  for  the  National  Strategy  for  Trusted 
Identities  in  Cyberspace 

NIST 

February  17, 
2012 

51 

NIST  responds  to  comments  received  in  response  to 
the  related  Notice  of  Inquiry  published  in  the  Federal 
Register  on  June  1 4,  20 1  1 . 

http://www.nist.gov/nstic/20 1 2-nstic-governance-recs.pdf 

Models  for  a  Governance  Structure  for  the  National  Strategy  for 
Trusted  Identities  in  Cyberspace 

http://www.nist.gov/nstic/nstic-frn-noi.pdf 

Department  of 
Commerce 

June  14,  201  1 

4 

The  department  seeks  public  comment  from  all 
stakeholders,  including  the  commercial,  academic  and 
civil  society  sectors,  and  consumer  and  privacy 
advocates  on  potential  models,  in  the  form  of 
recommendations  and  key  assumptions  in  the 
formation  and  structure  of  the  steering  group. 

Administration  Releases  Strategy  to  Protect  Online  Consumers 
and  Support  Innovation  and  Fact  Sheet  on  National  Strategy  for 
Trusted  Identities  in  Cyberspace 

http://www.whitehouse.gov/the-press-office/20 1  1/04/15/ 

administration-releases-strategy-protect-online-consumers-and- 

support-in 

White  House 

April  15,  201  1 

52 

Press  release  on  a  proposal  to  administer  the 
processes  for  policy  and  standards  adoption  for  the 
Identity  Ecosystem  Framework  in  accordance  with 
the  National  Strategy  for  Trusted  Identities  in 
Cyberspace  (NSTIC). 

National  Strategy  for  Trusted  Identities  in  Cyberspace 

http://www.whitehouse.gov/blog/20 1 0/06/25/national-strategy-trust 
cyberspace 

White  House 

April  15,  201  1 

52 

The  NSTIC  aims  to  make  online  transactions  more 
trustworthy,  thereby  giving  businesses  and  consumers 
more  confidence  in  conducting  business  online. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  24.  Selected  Reports: 


Source 


Delivering  on  the  Promise  of  Big  Data  and  the  Cloud 
http://www.boozallen.com/media/file/BigDatalnTheCloud.pdf 


Cloud  Computing:  An  Overview  of  the  Technology  and  the  Issues  facing 
American  Innovators 

http://judiciary.house.gov/hearings/Hearings%2020 1 2/hear_072520  i  2_2.html 

Information  Technology  Reform:  Progress  Made  but  Future  Cloud  GAO 

Computing  Efforts  Should  be  Better  Planned 

http://www.gao.gov/products/GAO- 1 2-756 


House  Judiciary 
Comm., 

Subcom.  on 
Intellectual 
Property, 
Competition, 
and  the  Internet 


Booz,  Allen, 
Hamilton 


Cloud  Computing  Strategy 

http://www.defense.gov/news/DoDCIoudComputingStrategy.pdf 


DOD,  Chief 
Information 
Officer 


CRS-51 


January  9,  7  Reference  architecture  does  away  with 

2013  conventional  data  and  analytics  silos, 

consolidating  all  information  into  a  single  medium 
designed  to  foster  connections  called  a  “data 
lake,"  which  reduces  complexity  and  creates 
efficiencies  that  improve  data  visualization  to 
allow  for  easier  insights  by  analysts. 

July  25,  1 56  Overview  and  discussion  of  cloud  computing 

2012  issues. 


July  II,  43  To  help  ensure  the  success  of  agencies’ 

20 1 2  implementation  of  cloud-based  solutions,  the 

Secretaries  of  Agriculture,  Health  and  Human 
Services,  Homeland  Security,  State,  and  the 
Treasury,  and  the  Administrators  of  the  General 
Services  Administration  and  Small  Business 
Administration  should  direct  their  respective 
CIO  to  establish  estimated  costs,  performance 
goals,  and  plans  to  retire  associated  legacy 
systems  for  each  cloud-based  service  discussed  in 
this  report,  as  applicable. 

July  20 1 2  44  The  DOD  Cloud  Computing  Strategy  introduces 

an  approach  to  move  the  department  from  the 
current  state  of  a  duplicative,  cumbersome,  and 
costly  set  of  application  silos  to  an  end  state, 
which  is  an  agile,  secure,  and  cost  effective 
service  environment  that  can  rapidly  respond  to 
changing  mission  needs. 


Title 


A  Global  Reality:  Governmental  Access  to  Data  in  the  Cloud  -  A 
Comparative  Analysis  of  Ten  International  Jurisdictions 

http://www.hldataprotection.com/uploads/file/ 

Hogan%20Lovells%20White%20Paper%20Government%20Access%20to%20 
Cloud%20Data%20Paper%20%28 1  %29.pdf 

Policy  Challenges  of  Cross-Border  Cloud  Computing 

http://www.usitc.gov/journals/Policy_Challenges_of_Cross- 

border_Cloud_Computing_rev.pdf 

Cloud  Computing  Synopsis  and  Recommendations 
http://csrc.nist.gov/publications/nistpubs/800- 1 46/sp800- 1 46.pdf 

Global  Cloud  Computing  Scorecard  a  Blueprint  for  Economic  Opportunity 
http://portal.bsa.org/cloudscorecard20 1 2/ 

Concept  of  Operations:  FedRAMP 

http://www.gsa.gov/graphics/staffoffices/FedRAMP_CONOPS.pdf 

Federal  Risk  and  Authorization  Management  Program  (FedRAMP) 
http://www.gsa.gov/portal/category/ 102371 
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Notes 


Hogan  Lovells 


May  23, 

2012 


This  White  Paper  compares  the  nature  and 
extent  of  governmental  access  to  data  in  the 
cloud  in  many  jurisdictions  around  the  world. 


U.S.  May  1, 2012  38 

International 

Trade 

Commission 


NIST  May  20 1 2  81 


Business  February  2,  24 

Software  20 1 2 

Alliance 


General  Services  February  7,  47 

Administration  2012 

(GSA) 


Federal  CIO  January  4,  N/A 

Council  2012 


Examine  the  main  policy  challenges  associated 
with  cross-border  cloud  computing — data 
privacy,  security,  and  ensuring  the  free  flow  of 
information — and  the  ways  that  countries  are 
addressing  them  through  domestic  policymaking, 
international  agreements,  and  other  cooperative 
arrangements. 

The  National  Institute  of  Standards  and 
Technology  has  unveiled  a  guide  that  explains 
cloud  technologies  in  “plain  terms”  to  federal 
agencies  and  provides  recommendations  for  IT 
decision  makers. 

This  report  notes  that  while  many  developed 
countries  have  adjusted  their  laws  and  regulations 
to  address  cloud  computing,  the  wide  differences 
in  those  rules  make  it  difficult  for  companies  to 
invest  in  the  technology. 

Implementation  of  FedRAMP  will  be  in  phases. 
This  document  describes  all  the  services  that  will 
be  available  at  initial  operating  capability — 
targeted  for  June  2012.  The  Concept  of 
Operations  will  be  updated  as  the  program 
evolves  toward  sustained  operations. 

The  Federal  Risk  and  Authorization  Management 
Program  or  FedRAMP  has  been  established  to 
provide  a  standard  approach  to  Assessing  and 
Authorizing  (A&A)  cloud  computing  services  and 
products. 
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Security  Authorization  of  Information  Systems  in  Cloud  Computing 
Environments  (FedRAMP) 

http://www.cio.gov/fedrampmemo.pdf 

White 

House/Office  of 
Management  and 
Budget  (OMB) 

December 

8,  201  1 

7 

The  Federal  Risk  and  Authorization  Management 
Program  (FedRAMP)  will  now  be  required  for  all 
agencies  purchasing  storage,  applications  and 
other  remote  services  from  vendors.  The  Obama 
Administration  has  championed  cloud  computing 
as  a  means  to  save  money  and  accelerate  the 
government’s  adoption  of  new  technologies. 

U.S.  Government  Cloud  Computing  Technology  Roadmap,  Volume  1, 

Release  1.0  (Draft).  High-Priority  Requirements  to  Further  USG  Agency 
Cloud  Computing  Adoption 

http://www.nist.gov/itl/cloud/upload/SP_500_293_volumel-2.pdf 

NIST 

December 

1,  201  1 

32 

Volume  1  is  aimed  at  interested  parties  who  wish 
to  gain  a  general  understanding  and  overview  of 
the  background,  purpose,  context,  work,  results, 
and  next  steps  of  the  U.S.  Government  Cloud 
Computing  Technology  Roadmap  initiative. 

U.S.  Government  Cloud  Computing  Technology  Roadmap,  Release  1.0 
(Draft),  Volume  II  Useful  Information  for  Cloud  Adopters 

http://www.nist.gov/itl/cloud/upload/SP_500_293_volumell.pdf 

NIST 

December 

1,  201  1 

85 

Volume  II  is  designed  to  be  a  technical  reference 
for  those  actively  working  on  strategic  and 
tactical  cloud  computing  initiatives,  including,  but 
not  limited  to,  U.S.  government  cloud  adopters. 
Volume  II  integrates  and  summarizes  the  work 
completed  to  date,  and  explains  how  these 
findings  support  the  roadmap  introduced  in 

Volume  1. 

Information  Security:  Additional  Guidance  Needed  to  Address  Cloud 
Computing  Concerns 

http://www.gao.gov/products/GAO- 1 2- 1 30T 

GAO 

October  5, 
2011 

17 

Twenty-two  of  24  major  federal  agencies 
reported  that  they  were  either  concerned  or 
very  concerned  about  the  potential  information 
security  risks  associated  with  cloud  computing. 
GAO  recommended  that  the  NIST  issue 
guidance  specific  to  cloud  computing  security. 

NIST  has  issued  multiple  publications  which 
address  such  guidance;  however,  one  publication 
remains  in  draft,  and  is  not  to  be  finalized  until 
the  first  quarter  of  fiscal  year  20 1 2. 

Cloud  Computing  Reference  Architecture 

http  ://www.  nist.gov/customcf/get_p  df.cfm?pub_id=909505 

NIST 

September 

1,  201  1 

35 

This  “Special  Publication,"  which  is  not  an  official 
U.S.  government  standard,  is  designed  to  provide 
guidance  to  specific  communities  of  practitioners 
and  researchers. 

Guide  to  Cloud  Computing  for  Policy  Makers 

http://www.siia.net/index.php?option=com_docman&task=doc_download& 
gid=3040&ltemid=3  1 8 

Software  and 

Information 

Industry 

Association 

(SAM) 

July  26, 

2011 

27 

The  SAII  concludes  "that  there  is  no  need  for 
cloud-specific  legislation  or  regulations  to  provide 
for  the  safe  and  rapid  growth  of  cloud  computing, 
and  in  fact,  such  actions  could  impede  the  great 
potential  of  cloud  computing." 
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Federal  Cloud  Computing  Strategy 

http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf 

White  House 

February 

13,  201  1 

43 

The  strategy  outlines  how  the  federal 
government  can  accelerate  the  safe,  secure 
adoption  of  cloud  computing,  and  provides 
agencies  with  a  framework  for  migrating  to  the 
cloud.  It  also  examines  how  agencies  can  address 
challenges  related  to  the  adoption  of  cloud 
computing,  such  as  privacy,  procurement, 
standards,  and  governance. 

Notes:  These  reports  analyze  cybersecurity  issues  related  to  the  federal  government's  adoption  of  cloud  computing  storage  options.  Highlights  compiled  by  CRS  from 
the  reports. 
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Cybersecurity:  Authoritative  Reports  and  Resources 


CRS  Reports:  Critical  Infrastructure 

•  CRS  Report  R42683,  Critical  Infrastructure  Resilience:  The  Evolution  of  Policy 
and  Programs  and  Issues  for  Congress,  by  John  D.  Moteff 

•  CRS  Report  RL30153,  Critical  Infrastructures:  Background,  Policy,  and 
Implementation,  by  John  D.  Moteff 

•  CRS  Report  R42660,  Pipeline  Cybersecurity :  Federal  Policy,  by  Paul  W. 
Parfomak 

•  CRS  Report  R4 1 536,  Keeping  America ’s  Pipelines  Safe  and  Secure:  Key  Issues 
for  Congress,  by  Paul  W.  Parfomak 

•  CRS  Report  R41886,  The  Smart  Grid  and  Cybersecurity — Regulatory  Policy  and 
Issues,  by  Richard  J.  Campbell 

•  CRS  Report  R42338,  Smart  Meter  Data:  Privacy  and  Cybersecurity ,  by  Brandon 
J.  Murrill,  Edward  C.  Liu,  and  Richard  M.  Thompson  11 

•  CRS  Report  RL33586,  The  Federal  Networking  and  Information  Technology > 
Research  and  Development  Program:  Background,  Funding,  and  Activities,  by 
Patricia  Moloney  Figliola 

•  CRS  Report  97-868,  Internet  Domain  Names:  Background  and  Policy  Issues,  by 
Lennard  G.  Kruger 

•  CRS  Report  R4235 1 ,  Internet  Governance  and  the  Domain  Name  System:  Issues 
for  Congress,  by  Lennard  G.  Kruger 


Congressional  Research  Service 


55 


Table  25.  Selected 


Title 


Source 


Incentives  To  Adopt  Improved  Cybersecurity  Practices  National  Institute 


http://www.ntia.doc.gov/federal-register- 

notice/20 1 3/notice-inquiry-incentives-adopt-improved- 

cybersecurity-practices-html 


of  Standards  and 
Technology  and 
the  National 
Telecommunicati 


ons  and 


Information 

Administration 


SCADA  and  Process  Control  Security  Survey  SANS  Institute 

https://www.sans.org/reading_room/analysts_program/ 
sans_survey_scada_20 1 3.pdf 


Follow-up  Audit  of  the  Department’s  Cyber  Security 
Incident  Management  Program 

https://www.hsdl.org/?view&did=728459 


U.S.  Department 
of  Energy 
Inspector 
General’s  Office 


Terrorism  and  the  Electric  Power  Delivery  System 
http://www.nap.edu/catalog.php?record_id=  1 2050 


National 
Academies  of 
Science 


New  FERC  Office  to  Focus  on  Cyber  Security 

http://www.ferc.gov/media/news-releases/20 1 2/20 1 2-3/09- 
20- 1 2.asp 


U.S.  Department 
of  Energy 
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March  28,  20 1 3  N/A  The  Commerce  Department  is  preparing  a  report  on  ways  to 

incentivize  companies  and  organizations  to  improve  their 
cybersecurity.  To  better  understand  what  stakeholders  -  such  as 
companies,  trade  associations,  academics  and  others  -  believe 
would  best  serve  as  incentives,  the  Department  has  released  a 
series  of  questions  to  gather  public  comments  in  a  Notice  of 
Inquiry. 

February  I,  19  SANS  Institute  surveyed  professionals  who  work  with  SCADA 

2013  and  process  control  systems.  Of  the  nearly  700  respondents, 

70%  said  they  consider  their  SCADA  systems  to  be  at  high  or 
severe  risk;  one-third  of  them  suspect  that  they  have  been 
already  been  infiltrated. 

December  I,  25  In  2008,  it  was  reported  in  the  Department's  Cyber  Security 

2012  Incident  Management  Program  (DOE/IG-0787,  January  2008) 

that  the  department  and  NNSA  established  and  maintained  a 
number  of  independent,  at  least  partially  duplicative,  cyber 
security  incident  management  capabilities.  Although  certain 
actions  had  been  taken  in  response  to  the  prior  report, 
identified  were  several  issues  that  limited  the  efficiency  and 
effectiveness  of  the  department's  cyber  security  incident 
management  program  and  adversely  affected  the  ability  of  law 
enforcement  to  investigate  incidents.  In  response  to  the  finding, 
management  concurred  with  the  recommendations  and 
indicated  that  it  had  initiated  actions  to  address  the  issues 
identified. 

November  20 1 2  146  Focuses  on  measures  that  could  make  the  power  delivery 

system  less  vulnerable  to  attacks,  restore  power  faster  after  an 
attack,  and  make  critical  services  less  vulnerable  while  the 
delivery  of  conventional  electric  power  has  been  disrupted. 

September  20,  N/A  The  Federal  Energy  Regulatory  Commission  announced  the 

2012  creation  of  the  agency’s  new  Office  of  Energy  Infrastructure 

Security,  which  will  work  to  reduce  threats  to  the  electric  grid 
and  other  energy  facilities.  The  goal  is  for  the  office  to  help 
FERC,  as  well  as  other  agencies  and  private  companies,  better 
identify  potential  dangers  and  solutions. 
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Canvassing  the  Targeting  of  Energy  Infrastructure:  The 
Energy  Infrastructure  Attack  Database 

http://www.ensec.org/index.  php?option=com_content& 
view=article&id=379:canvassing-the-targeting-of-energy- 
infrastructure-the-energy-infrastructure-attack-database& 
catid=  1 28:issue-content&ltemid=402 

Journal  of  Energy 
Security 

August  7,  2012 

8 

The  Energy  Infrastructure  Attack  Database  (EIAD)  is  a  non¬ 
commercial  dataset  that  structures  information  on  reported 
(criminal  and  political)  attacks  to  El  (worldwide)  since  1980,  by 
non-state  actors.  In  building  this  resource,  the  objective  was  to 
develop  a  product  that  could  be  broadly  accessible  and  also 
connect  to  existing  available  resources 

Smart-Grid  Security 

http://cip.gmu.edu/archive/ 

CIPHS_TheCIPReport_August20l  2_SmartGridSecurity.p 
df#page=2 

Center  for 
Infrastructure 
Protection  and 

Homeland 

Security,  George 
Mason  School  of 
Law 

August  1,  2012 

26 

Highlights  the  significance  of  and  the  challenges  with  securing  the 
smart  grid. 

Cybersecurity:  Challenges  in  Securing  the  Electricity  Grid 

http://www.gao.gov/products/GAO- 1 2-926T 

GAO 

July  17,  2012 

25 

In  a  prior  report,  GAO  has  made  recommendations  related  to 
electricity  grid  modernization  efforts,  including  developing  an 
approach  to  monitor  compliance  with  voluntary  standards. 

These  recommendations  have  not  yet  been  implemented. 

ICS-CERT  Incident  Response  Summary  Report 

http://www.us-cert.gov/control_systems/pdf/ICS- 
CERT_lncident_Response_Summary_Report_09_l  1  .pdf 

U.S.  Industrial 
Control  System 
Cyber  Emergency 
Response  Team 
(ICS-CERT) 

June  28,  2012 

17 

The  number  of  reported  cyberattacks  on  U.S.  critical 
infrastructure  increased  sharply — from  9  incidents  in  2009  to 

198  in  201  1;  water  sector-specific  incidents,  when  added  to  the 
incidents  that  affected  several  sectors,  accounted  for  more  than 
half  of  the  incidents;  in  more  than  half  of  the  most  serious  cases, 
implementing  best  practices  such  as  login  limitation  or  properly 
configured  firewall,  would  have  deterred  the  attack,  reduced  the 
time  it  would  have  taken  to  detect  an  attack,  and  minimize  its 
impact. 

Energy  Department  Develops  Tool  with  Industry  to  Help 
Utilities  Strengthen  Their  Cybersecurity  Capabilities 

http://energy.gov/articles/energy-department-develops- 

tool-industry-help-utilities-strengthen-their-cybersecurity 

U.S.  Department 
of  Energy 

June  28,  2012 

N/A 

The  Cybersecurity  Self-Evaluation  Tool  utilizes  best  practices 
that  were  developed  for  the  Electricity  Subsector  Cybersecurity 
Capability  Maturity  Model  Initiative,  which  involved  a  series  of 
workshops  with  the  private  sector  to  draft  a  maturity  model 
that  can  be  used  throughout  the  electric  sector  to  better 
protect  the  grid. 

Electricity  Subsector  Cybersecurity  Risk  Management 
Process 

http://energy.gov/oe/downloads/cybersecurity-risk- 
management-process-rmp-guideline-final-may-20 1 2 

Department  of 
Energy,  Office  of 
Electricity 

Delivery  & 

Energy  Reliability 

May  2012 

96 

The  guideline  describes  a  risk  management  process  that  is 
targeted  to  the  specific  needs  of  electricity  sector  organizations. 
The  objective  of  the  guideline  is  to  build  upon  existing  guidance 
and  requirements  to  develop  a  flexible  risk  management  process 
tuned  to  the  diverse  missions,  equipment,  and  business  needs  of 
the  electric  power  industry. 
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Cybersecurity  for  Energy  Delivery  Systems  Program 

http://energy.gov/oe/technology-development/energy- 

delivery-systems-cybersecurity 

Department  of 
Energy,  Office  of 
Electricity 

Delivery  & 

Energy  Reliability 

ongoing 

N/A 

The  program  assists  the  energy  sector  asset  owners  (electric, 
oil,  and  gas)  by  developing  cybersecurity  solutions  for  energy 
delivery  systems  through  integrated  planning  and  a  focused 
research  and  development  effort.  CEDS  co-funds  projects  with 
industry  partners  to  make  advances  in  cybersecurity  capabilities 
for  energy  delivery  systems. 

ICT  Applications  for  the  Smart  Grid:  Opportunities  and 
Policy  Implications 

http://www.oecd-ilibrary.org/content/workingpaper/ 

5l<9h2q8v9bln-en 

Organization  for 
Economic  Co¬ 
operation  and 
Development 
(OECD) 

January  10,  2012 

44 

This  report  discusses  “smart”  applications  of  information  and 
communication  technologies  (ICTs)  for  more  sustainable  energy 
production,  management  and  consumption.  The  report  outlines 
policy  implications  for  government  ministries  dealing  with 
telecommunications  regulation,  ICT  sector  and  innovation 
promotion,  and  consumer  and  competition  issues. 

The  Department’s  Management  of  the  Smart  Grid 
Investment  Grant  Program 

http://energy.gov/ig/downloads/departments-management- 
smart-grid-investment-grant-program-oas-ra- 1 2-04 

Department  of 
Energy  (DOE) 
Inspector 

General 

January  1, 2012 

21 

According  to  the  Inspector  General,  DOE's  rush  to  award 
stimulus  grants  for  projects  under  the  next  generation  of  the 
power  grid,  known  as  the  Smart  grid,  resulted  in  some  firms 
receiving  funds  without  submitting  complete  plans  for  how  to 
safeguard  the  grid  from  cyber  attacks. 

Critical  Infrastructure  Protection:  Cybersecurity 

Guidance  Is  Available,  but  More  Can  Be  Done  to 

Promote  Its  Use 

http://www.gao.gov/products/GAO- 1 2-92 

General 
Accountability 
Office  (GAO) 

December  9, 

201  1 

77 

Given  the  plethora  of  guidance  available,  individual  entities 
within  the  sectors  may  be  challenged  in  identifying  the  guidance 
that  is  most  applicable  and  effective  in  improving  their  security 
posture.  Improved  knowledge  of  the  available  guidance  could 
help  both  federal  and  private-sector  decision  makers  better 
coordinate  their  efforts  to  protect  critical  cyber-reliant  assets. 

The  Future  of  the  Electric  Grid 

http://web.mit.edu/mitei/research/studies/the-electric-grid- 
20 1  1  .shtml 

Massachusetts 
Institute  of 
Technology  (MIT) 

December  5, 

201  1 

39 

Chapter  1  provides  an  overview  of  the  status  of  the  grid,  the 
challenges  and  opportunities  it  will  face,  and  major 
recommendations.  To  facilitate  selective  reading,  detailed 
descriptions  of  the  contents  of  each  section  in  Chapters  2-9  are 
provided  in  each  chapter’s  introduction,  and  recommendations 
are  collected  and  briefly  discussed  in  each  chapter's  final  section. 
(See:  Chapter  9,  Data  Communications,  Cybersecurity,  and 
Information  Privacy,  pages  208-234). 

FCC’s  Plan  for  Ensuring  the  Security  of 
Telecommunications  Networks 

ftp://ftp.fcc.gov/pub/Daily  Releases/Daily  Business/201  1/ 
db06 1 0/DOC-307454A 1  .txt 

Federal 

Communications 

Commission 

(FCC) 

June  3,  201  1 

1 

FCC  Chairman  Genachowski's  response  to  letter  from  Rep. 

Anna  Eshoo  dated  November  2,  2010,  re:  concerns  about  the 
implications  of  foreign-controlled  telecommunications 
infrastructure  companies  providing  equipment  to  the  U.S. 
market. 
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Cyber  Infrastructure  Protection 

http://www.strategicstudiesinstitute.army.mil/pubs/ 
display.cfm?pubid=  1 067 


U.S.  Army  War 
College 


In  the  Dark:  Crucial  Industries  Confront  Cyberattacks 

http://www.mcafee.com/us/resources/reports/rp-critical- 

infrastructure-protection.pdf 

Cybersecurity:  Continued  Attention  Needed  to  Protect 
Our  Nation’s  Critical  Infrastructure  and  Federal 
Information  Systems 

http://www.gao.gov/products/GAO- 1  I -463T 


McAfee  and 
Center  for 
Strategic  and 
International 
Studies  (CSIS) 

General 
Accountability 
Office  (GAO) 


Federal  Energy  Regulatory  Commission’s  Monitoring  of 
Power  Grid  Cyber  Security 

http://www.wired.com/images_blogs/threatlevel/20 1  I  /02/ 
DoE-IG-Report-on-Grid-Security.pdf 


North  American 
Electric  Reliability 
Corp.  (NERC) 


CRS-59 
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May  9,  201  I  324  Part  I  deals  with  strategy  and  policy  issues  related  to  cyber 

security  and  provides  discussions  covering  the  theory  of 
cyberpower,  Internet  survivability,  large  scale  data  breaches,  and 
the  role  of  cyberpower  in  humanitarian  assistance.  Part  2  covers 
social  and  legal  aspects  of  cyber  infrastructure  protection  and 
discusses  the  attack  dynamics  of  political  and  religiously 
motivated  hackers.  Part  3  discusses  the  technical  aspects  of 
cyber  infrastructure  protection  including  the  resilience  of  data 
centers,  intrusion  detection,  and  a  strong  emphasis  on  Internet 
protocol  (IP)  networks. 

April  21,  201  I  28  The  study  reveals  an  increase  in  cyber  attacks  on  critical 

infrastructure  such  as  power  grids,  oil,  gas,  and  water;  the  study 
also  shows  that  that  many  of  the  world’s  critical  infrastructures 
lacked  protection  of  their  computer  networks,  and  reveals  the 
cost  and  impact  of  cyberattacks 

March  16,  201  I  16  According  to  GAO,  executive  branch  agencies  have  also  made 

progress  instituting  several  government-wide  initiatives  that  are 
aimed  at  bolstering  aspects  of  federal  cybersecurity,  such  as 
reducing  the  number  of  federal  access  points  to  the  Internet, 
establishing  security  configurations  for  desktop  computers,  and 
enhancing  situational  awareness  of  cyber  events.  Despite  these 
efforts,  the  federal  government  continues  to  face  significant 
challenges  in  protecting  the  nation's  cyber-reliant  critical 
infrastructure  and  federal  information  systems. 

January  26,  2011  30  NERC  developed  Critical  Infrastructure  Protection  (CIP)  cyber 

security  reliability  standards  which  were  approved  by  the  FERC 
in  January  2008.  Although  the  Commission  had  taken  steps  to 
ensure  CIP  cyber  security  standards  were  developed  and 
approved,  NERC’s  testing  revealed  that  such  standards  did  not 
always  include  controls  commonly  recommended  for  protecting 
critical  information  systems.  In  addition,  the  CIP  standards 
implementation  approach  and  schedule  approved  by  the 
Commission  were  not  adequate  to  ensure  that  systems-related 
risks  to  the  nation's  power  grid  were  mitigated  or  addressed  in 
a  timely  manner. 
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Electricity  Grid  Modernization:  Progress  Being  Made  on  General 
Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to  Accountability 
be  Addressed  Office  (GAO) 

http://www.gao.gov/products/GAO-l  l-l  17 


Partnership  for  Cybersecurity  Innovation 

http://www.whitehouse.gov/blog/20 1 0/ 1 2/06/partnership- 
cybersecurity-innovation 


White  House 
(Office  of  Science 
&  Technology 
Policy) 


WIB  Security  Standard  Released 
http://www.isssource.com/wib/ 


International 
Instrument  Users 
Association 


(WIB) 


Information  Security  Management  System  for  Microsoft  Microsoft 
Cloud  Infrastructure 


http://cdn.globalfoundationservices.com/documents/ 

lnformationSecurityMangSysforMSCIoudlnfrastructure.pdf 


NIST  Finalizes  Initial  Set  of  Smart  Grid  Cyber  Security 
Guidelines 

http://www.nist.gov/public_affairs/releases/nist-finalizes- 

initial-set-of-smart-grid-cyber-security-guidelines.cfm 


National  Institute 
of  Standards  and 
Technology 
(NIST) 
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January  12,  201  I  50  To  reduce  the  risk  that  NIST’s  smart  grid  cybersecurity 

guidelines  will  not  be  as  effective  as  intended,  the  Secretary  of 
Commerce  should  direct  the  Director  of  NIST  to  finalize  the 
agency's  plan  for  updating  and  maintaining  the  cybersecurity 
guidelines,  including  ensuring  it  incorporates  (I)  missing  key 
elements  identified  in  this  report,  and  (2)  specific  milestones  for 
when  efforts  are  to  be  completed.  Also,  as  a  part  of  finalizing  the 
plan,  the  Secretary  of  Commerce  should  direct  the  Director  of 
NIST  should  assess  whether  any  cybersecurity  challenges 
identified  in  this  report  should  be  addressed  in  the  guidelines. 

The  Obama  Administration  released  a  Memorandum  of 
Understanding  signed  by  the  National  Institute  of  Standards  and 
Technology  (NIST)  of  the  Department  of  Commerce,  the 
Science  and  Technology  Directorate  of  the  Department  of 
Homeland  Security  (DHS/S&T),  and  the  Financial  Services  Sector 
Coordinating  Council  (FSSCC).  The  goal  of  the  agreement  is  to 
speed  the  commercialization  of  cybersecurity  research 
innovations  that  support  the  nation’s  critical  infrastructures. 

The  Netherlands-based  International  Instrument  Users 
Association  (WIB),  an  international  organization  that  represents 
global  manufacturers  in  the  industrial  automation  industry, 
announced  the  second  version  of  the  Process  Control  Domain 
Security  Requirements  For  Vendors  document — the  first 
international  standard  that  outlines  a  set  of  specific 
requirements  focusing  on  cyber  security  best  practices  for 
suppliers  of  industrial  automation  and  control  systems. 

November  2010  15  This  study  describes  the  standards  Microsoft  follows  to  address 

current  and  evolving  cloud  security  threats.  It  also  depicts  the 
internal  structures  within  Microsoft  that  handle  cloud  security 
and  risk  management  issues. 

September  2,  N/A  NIST  released  a  3-volume  set  of  recommendations  on  all  things 

20 1 0  relevant  to  securing  the  Smart  Grid.  The  guidelines  address  a 

variety  of  topics,  including  high-level  security  requirements,  a 
risk  assessment  framework,  an  evaluation  of  privacy  issues  in 
residences  and  recommendations  for  protecting  the  evolving 
grid  from  attacks,  malicious  code,  cascading  errors,  and  other 
threats. 


December  6,  4 

2010 


November  10, 

2010 
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Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

http://www.gao.gov/products/GAO- 1 0-628 

General 
Accountability 
Office  (GAO) 

July  15,  2010 

38 

Private-sector  stakeholders  reported  that  they  expect  their 
federal  partners  to  provide  usable,  timely,  and  actionable  cyber 
threat  information  and  alerts;  access  to  sensitive  or  classified 
information;  a  secure  mechanism  for  sharing  information; 
security  clearances;  and  a  single  centralized  government 
cybersecurity  organization  to  coordinate  government  efforts. 
However,  according  to  private  sector  stakeholders,  federal 
partners  are  not  consistently  meeting  these  expectations. 

The  future  of  cloud  computing 

http://pewinternet.org/Reports/20 1 0/The-future-of-cloud- 
computing.aspx 

Pew  Research 
Center’s  Internet 
&  American  Life 
Project 

June  1  1, 2010 

26 

Technology  experts  and  stakeholders  say  they  expect  they  will 
“live  mostly  in  the  cloud”  in  2020  and  not  on  the  desktop, 
working  mostly  through  cyberspace-based  applications  accessed 
through  networked  devices. 

The  Reliability  of  Global  Undersea  Communications  Cable 
Infrastructure  (The  ROGUCCI  Report) 

http://www.ieee-rogucci.org/files/ 

The%20ROGUCCI%20Report.pdf 

lEEE/EastWest 

Institute 

May  26,  2010 

186 

This  study  submits  12  major  recommendations  to  the  private 
sector,  governments  and  other  stakeholders — especially  the 
financial  sector — for  the  purpose  of  improving  the  reliability, 
robustness,  resilience,  and  security  of  the  world’s  undersea 
communications  cable  infrastructure. 

NSTB  Assessments  Summary  Report:  Common  Industrial 
Control  System  Cyber  Security  Weaknesses 

http://www.fas.org/sgp/eprint/nstb.pdf 

Department  of 
Energy,  Idaho 
National 
Laboratory 

May  1,  2010 

123 

Computer  networks  controlling  the  electric  grid  are  plagued 
with  security  holes  that  could  allow  intruders  to  redirect  power 
delivery  and  steal  data.  Many  of  the  security  vulnerabilities  are 
strikingly  basic  and  fixable  problems. 

Explore  the  reliability  and  resiliency  of  commercial 
broadband  communications  networks 

http://hraunfoss.fcc.gov/edocs  public/attachmatch/DOC- 
3056l8Al.doc 

Federal 

Communications 

Commission 

(FCC) 

April  21,  2010 

N/A 

The  Federal  Communications  Commission  launched  an  inquiry 
on  the  ability  of  existing  broadband  networks  to  withstand 
significant  damage  or  severe  overloads  as  a  result  of  natural 
disasters,  terrorist  attacks,  pandemics  or  other  major  public 
emergencies,  as  recommended  in  the  National  Broadband  Plan. 

Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud 
Computing  V2. 1 

http://www.cloudsecurityalliance.org/csaguide.pdf 

Cloud  Security 
Alliance 

December  2009 

76 

“Through  our  focus  on  the  central  issues  of  cloud  computing 
security,  we  have  attempted  to  bring  greater  clarity  to  an 
otherwise  complicated  landscape,  which  is  often  filled  with 
incomplete  and  oversimplified  information.  Our  focus  ...  serves 
to  bring  context  and  specificity  to  the  cloud  computing  security 
discussion;  enabling  us  to  go  beyond  gross  generalizations  to 
deliver  more  insightful  and  targeted  recommendations.” 
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21  Steps  to  Improve  Cyber  Security  of  SCADA  Networks 

http://www.oe.netl.doe.gov/docs/prepare/ 

2 1  stepsbooklet.pdf 

U.S.  Department 
of  Energy, 
Infrastructure 
Security  and 

Energy 

Restoration 

January  1 ,  2007 

10 

The  President’s  Critical  Infrastructure  Protection  Board  and  the 
Department  of  Energy  have  developed  steps  to  help  any 
organization  improve  the  security  of  its  SCADA  networks.  The 
steps  are  divided  into  two  categories:  specific  actions  to  improve 
implementation,  and  actions  to  establish  essential  underlying 
management  processes  and  policies. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 


CRS-62 


Cybersecurity:  Authoritative  Reports  and  Resources 


CRS  Reports:  Cybercrime  and  National  Security 

•  CRS  Report  97-1025,  Cybercrime:  An  Overview  of  the  Federal  Computer  Fraud 
and  Abuse  Statute  and  Related  Federal  Criminal  Laws ,  by  Charles  Doyle 

•  CRS  Report  94-166,  Extraterritorial  Application  of  American  Criminal  Law,  by 
Charles  Doyle 

•  CRS  Report  R42403,  Cybersecurity:  Cyber  Crime  Protection  Security  Act  (S. 
2111,  112lh  Congress) — A  Legal  Analysis,  by  Charles  Doyle 

•  CRS  Report  98-326,  Privacy:  An  Overview  of  Federal  Statutes  Governing 
Wiretapping  and  Electronic  Eavesdropping,  by  Gina  Stevens  and  Charles  Doyle 

•  CRS  Report  RL32706,  Spyware:  Background  and  Policy  Issues  for  Congress,  by 
Patricia  Moloney  Figliola 

•  CRS  Report  CRS  Report  R41975,  Illegal  Internet  Streaming  of  Copyrighted 
Content:  Legislation  in  the  112,h  Congress,  by  Brian  T.  Yeh 

•  CRS  Report  R42112,  Online  Copyright  Infringement  and  Counterfeiting: 
Legislation  in  the  112th  Congress,  by  Brian  T.  Yeh 

•  CRS  Report  R40599,  Identity  Theft:  Trends  and  Issues,  by  Kristin  M.  Finklea 

•  CRS  Report  R41927,  The  Interplay  of  Borders,  Turf  Cyberspace,  and 
Jurisdiction:  Issues  Confronting  U.S.  Law  Enforcement,  by  Kristin  M.  Finklea 

•  CRS  Report  RL3465 1 ,  Protection  of  Children  Online:  Federal  and  State  Laws 
Addressing  Cyberstalking,  Cyberharassment,  and  Cyberbullying,  by  Alison  M. 
Smith 

•  CRS  Report  R42547,  Cybercrime:  Conceptual  Issues  for  Congress  and  U.S.  Law 
Enforcement ,  by  Kristin  M.  Finklea  and  Catherine  A.  Theohary 


Congressional  Research  Service 


63 


Table  26.  Selected  Reports:  Cybercrime/Cyberwar 


Title 

Source 

Date 

Pages 

Notes 

The  Tallinn  Manual  on  the  International  Law  Applicable  to 
Cyber  Warfare 

http://ccdcoe.org/249.html 

Cambridge 
University  Press/ 
NATO 
Cooperative 

Cyber  Defence 
Center  of 
Excellence 

March  5, 

2013 

282 

The  Tallinn  Manual  identifies  the  international  law  applicable  to 
cyber  warfare  and  sets  out  95  ‘black-letter  rules’  governing  such 
conflicts.  An  extensive  commentary  accompanies  each  rule,  which 
sets  forth  each  rules’  basis  in  treaty  and  customary  law,  explains 
how  the  group  of  experts  interpreted  applicable  norms  in  the 
cyber  context,  and  outlines  any  disagreements  within  the  group  as 
to  each  rules’  application.  (Note:  The  manual  is  not  an  official 

NATO  publication,  but  an  expression  of  opinions  of  a  group  of 
independent  experts  acting  solely  in  their  personal  capacity.) 

APTI:  Exposing  One  of  China’s  Cyber  Espionage  Units 

http://intelreport.mandiant.com/ 

Mandiant_APT  1  _Report.pdf 

Mandiant 

February  19, 
2013 

76 

The  details  analyzed  during  hundreds  of  investigations  signal  that 
the  groups  conducting  these  activities  (computer  security 
breaches  around  the  world)  are  based  primarily  in  China  and  that 
the  Chinese  government  is  aware  of  them. 

Video  demo  of  Chinese  hacker  activity 

http://intelreport.mandiant.com/ 

Mandiant 

February  19, 
2013 

N/A 

Video  of  APTI  attacker  sessions  and  intrusion  activities  (5-minute 
video). 

Cyberattacks  Among  Rivals:  2001-201  1  (from  the  article, 
“The  Fog  of  Cyberwar”  by  Brandon  Variano  and  Ryan 
Maness  (subscription  required) 

Foreign  Affairs 

November 

21,  2012 

N/A 

A  chart  showing  cyberattacks  by  initiator  and  victim,  2001-201  1. 

http://www.foreignaffairs.com/cyberattacks-by-initiator- 

and-victim 

Emerging  Cyber  Threats  Report  20 1 3 

http://www.gtsecuritysummit.com/pdf/ 

20 1 3ThreatsReport.pdf 

Georgia  Institute 
of  Technology 

November 

14,  2012 

9 

The  year  ahead  will  feature  new  and  increasingly  sophisticated 
means  to  capture  and  exploit  user  data,  escalating  battles  over  the 
control  of  online  information  and  continuous  threats  to  the  U.S. 
supply  chain  from  global  sources.  (From  the  annual  Georgia  Tech 
Cyber  Security  Summit  2012). 

Proactive  Defense  for  Evolving  Cyber  Threats 

http://prod.sandia.gov/techlib/access-control.cgi/20 1 2/ 
l2IOI77.pdf 

Sandia  National 

Labs 

November  1, 
2012 

98 

The  project  applied  rigorous  predictability-based  analytics  to  two 
central  and  complementary  aspects  of  the  network  defense 
problem — attack  strategies  of  the  adversaries  and  vulnerabilities  of 
the  defenders’  systems — and  used  the  results  to  develop  a 
scientifically-grounded,  practically-implementable  methodology  for 
designing  proactive  cyber  defense  systems. 
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Safeguarding  Cyber-Security,  Fighting  in  Cyberspace 

http://www.isn.ethz.ch/isn/Editorial-Plan/Dossiers/Detail/? 
Ing=en&id=  1 54059&contextid782=  1 54059 

International 
Relations  and 
Security 

Network  (ISN) 

October  22, 
2012 

N/A 

Looks  at  the  Militarisation  of  Cyber  Security  as  a  Source  of  Global 
Tension,  and  makes  the  case  that  cyber-warfare  is  already  an 
essential  feature  of  many  leading  states'  strategic  calculations, 
followed  by  its  opposite — i.e.,  one  that  believes  the  threat  posed 
by  cyber-warfare  capabilities  is  woefully  overstated. 

Before  We  Knew  It:  An  Empirical  Study  of  Zero-Day 
Attacks  In  The  Real  World 

http://users.ece.cmu.edu/~tdumitra/public_documents/ 
bilge  1 2_zero_day.pdf 

Symantec 

Research  Labs 

October  16, 
2012 

12 

The  paper  describes  a  method  for  automatically  identifying  zero- 
day  attacks  from  field-gathered  data  that  records  when  benign  and 
malicious  binaries  are  downloaded  on  1  1  million  real  hosts  around 
the  world.  Searching  this  data  set  for  malicious  files  that  exploit 
known  vulnerabilities  indicates  which  files  appeared  on  the 

Internet  before  the  corresponding  vulnerabilities  were  disclosed. 

ZeroAccess:  We’re  Gonna  Need  a  Bigger  Planet 

http://www.f-secure.com/weblog/archives/00002428.html 

F-Secure  and 
Google  Maps 

October  15, 
2012 

N/A 

The  idea  of  a  network  of  malware-infected  zombie  computers 
rigged  to  do  the  bidding  of  criminals  conjures  up  a  frightening 
image  on  its  own.  A  new  visualization  of  the  so-called  ZeroAcess 
botnet  shows  how  widespread  such  schemes  can  become. 

Investigative  Report  on  the  U.S.  National  Security  Issues 
Posed  by  Chinese  Telecommunications  Companies 

Huawei  and  ZTE 

http://intelligence.house.gov/press-release/investigative- 

report-us-national-security-issues-posed-chinese- 

telecommunications 

House 

Permanent 

Select 

Committee  on 
Intelligence 

October  8, 
2012 

60 

The  committee  initiated  this  investigation  in  November  2011  to 
inquire  into  the  counterintelligence  and  security  threat  posed  by 
Chinese  telecommunications  companies  doing  business  in  the 

United  States. 

Federal  Support  for  and  Involvement  in  State  and  Local 
Fusion  Centers 

http://www.hsgac.senate.gov/download/?id=49 1 39e8 1  - 
1  dd7-4788-a3bb-d6e7d97dde04 

U.  S.  Senate 

Permanent 
Subcommittee 
on  Investigations 

October  3, 
2012 

141 

A  two-year  bipartisan  investigation  found  that  U.S.  Department  of 
Homeland  Security  efforts  to  engage  state  and  local  intelligence 
“fusion  centers”  has  not  yielded  significant  useful  information  to 
support  federal  counterterrorism  intelligence  efforts.  In  Section 

VI,  “Fusion  Centers  Have  Been  Unable  to  Meaningfully  Contribute 
to  Federal  Counterterrorism  Efforts,”  Part  G,  “Fusion  Centers 

May  Have  Hindered,  Not  Aided,  Federal  Counterterrorism 

Efforts,”  the  report  discusses  the  Russian  “Cyberattack”  in  Illinois. 

HoneyMap  -  Visualizing  Worldwide  Attacks  in  Real-Time 

http://www.honeynet.org/node/960 

The  Honeynet 
Project 

October  1, 
2012 

N/A 

The  HoneyMap  shows  a  real-time  visualization  of  attacks  against 
the  Honeynet  Project’s  sensors  deployed  around  the  world. 

Manual  on  International  Law  Applicable  to  Cyber  Warfare 
(“The  Tallinn  Manual”) 

http://www.ccdcoe.org/249.html 

NATO 
Cooperative 
Cyber  Defence 
Centre  of 
Excellence, 

Tallinn,  Estonia 

August  20 1 2 

N/A 

The  Tallinn  Manual  is  a  nonbinding  yet  authoritative  restatement 
of  the  law  of  armed  conflict  as  it  relates  to  cyberwar.  It  offers 
guidance  to  attackers,  defenders,  and  legal  experts  on  how 
cyberattacks  can  be  classified  as  actions  covered  under  the  law, 
such  as  armed  attacks. 
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Does  Cybercrime  Really  Cost  $1  Trillion?  ProPublica 

http://www.propublica.org/article/does-cybercrime-really- 
cost- 1 -trillion 


Putting  the  “war”  in  cyberwar:  Metaphor,  analogy,  and  First  Monday 

cybersecurity  discourse  in  the  United  States 

http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/ 

article/view/3848/3270 


Information  Security:  Cyber  Threats  Facilitate  Ability  to  GAO 
Commit  Economic  Espionage 

http://www.gao.gov/products/GAO- 1 2-876T 

Measuring  the  Cost  of  Cybercrime 

http://weis20 1 2. econinfosec.org/papers/ 

Anderson_WEIS20l2.pdf 

Nodes  and  Codes:  The  Reality  of  Cyber  Warfare 

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA567 1 90& 
Location=U2&doc=GetTRDoc.pdf 

The  Impact  of  Cybercrime  on  Businesses 

http://www.checkpoint.com/products/downloads/ 
whitepapers/ponemon-cybercrime-20 1 2.pdf 


Ponemon 

Institute 


US  Army  School 
of  Advanced 
Military  Studies, 
Command  and 
General  Staff 


I  Ith  Annual 
Workshop  on 
the  Economics  of 
Information 
Security 


CRS-66 


Date 


Pages 

N/A 


Notes 


August  I, 

2012 


In  a  news  release  from  computer  security  firm  McAfee  to 
announce  its  2009  report,  “Unsecured  Economies:  Protecting  Vital 
Information,”  the  company  estimated  a  trillion  dollar  global  cost 
for  cybercrime.  The  number  does  not  appear  in  the  report  itself. 
McAfee’s  trillion-dollar  estimate  is  questioned  even  by  the  three 
independent  researchers  from  Purdue  University  whom  McAfee 
credits  with  analyzing  the  raw  data  from  which  the  estimate  was 
derived.  An  examination  of  their  origins  by  ProPublica  has  found 
new  grounds  to  question  the  data  and  methods  used  to  generate 
these  numbers,  which  McAfee  and  Symantec  say  they  stand 
behind. 


July  2,  20 1 2  N/A  This  essay  argues  that  current  contradictory  tendencies  are 

unproductive  and  even  potentially  dangerous.  It  argues  that  the 
war  metaphor  and  nuclear  deterrence  analogy  are  neither  natural 
nor  inevitable  and  that  abandoning  them  would  open  up  new 
possibilities  for  thinking  more  productively  about  the  full  spectrum 
of  cyber  security  challenges,  including  the  as-yet  unrealized 
possibility  of  cyber  war. 

June  28,  20  This  statement  discusses  (I)  cyber  threats  facing  the  nation’s 

2012  systems,  (2)  reported  cyber  incidents  and  their  impacts,  (3) 

security  controls  and  other  techniques  available  for  reducing  risk, 
and  (4)  the  responsibilities  of  key  federal  entities  in  support  of 
protecting  IP. 

June  25,  N/A  “For  each  of  the  main  categories  of  cybercrime  we  set  out  what  is 

2012  and  is  not  known  of  the  direct  costs,  indirect  costs  and  defence 

costs  -  both  to  the  UK  and  to  the  world  as  a  whole.” 


May  17,2012  62  Explores  the  reality  of  cyber  warfare  through  the  story  of  Stuxnet. 

Three  case  studies  evaluate  cyber  policy,  discourse,  and 
procurement  in  the  United  States,  Russia,  and  China  before  and 
after  Stuxnet  to  illustrate  their  similar,  yet  unique,  realities  of 
cyber  warfare. 

The  study  found  that  targeted  attacks  on  businesses  cost 
enterprises  an  average  of  $214,000.  The  expenses  are  associated 
with  forensic  investigations,  investments  in  technology,  and  brand 
recovery  costs. 


May  2012 


21 
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Proactive  Policy  Measures  by  Internet  Service  Providers 
against  Botnets 

http://www.oecd-ilibrary.org/science-and-technology/ 
proactive-policy-measures-by-internet-service-providers- 
against-botnets_5l<98tq42t  1 8w-en 

Organisation  for 
Economic  Co¬ 
operation  and 
Development 

May  7,  2012 

25 

This  report  analyzes  initiatives  in  a  number  of  countries  through 
which  end-users  are  notified  by  ISPs  when  their  computer  is 
identified  as  being  compromised  by  malicious  software  and 
encouraged  to  take  action  to  mitigate  the  problem. 

Developing  State  Solutions  to  Business  Identity  Theft: 
Assistance,  Prevention  and  Detection  Efforts  by  Secretary 
of  State  Offices 

http://www.nass.org/index.php?option=com_docman& 
task=doc_download&gid=  1 257 

National 
Association  of 
Secretaries  of 
State 

January  20 1 2 

23 

This  white  paper  is  the  result  of  efforts  by  the  1 9-member  NASS 
Business  Identity  Theft  Task  Force  to  develop  policy  guidelines 
and  recommendations  for  state  leaders  dealing  with  identity  fraud 
cases  involving  public  business  records. 

A  Cyberworm  that  Knows  No  Boundaries 

http://www.rand.org/content/dam/rand/pubs/ 
occasional_papers/20 1  l/RAND_OP342.pdf 

RAND 

December 

21,  201  1 

55 

Stuxnet-like  worms  pose  a  serious  threat  even  to  infrastructure 
and  computer  systems  that  are  not  connected  to  the  Internet. 
However,  defending  against  such  attacks  is  an  increasingly 
complex  prospect. 

Department  of  Defense  Cyberspace  Policy  Report :  A 
Report  to  Congress  Pursuant  to  the  National  Defense 
Authorization  Act  for  Fiscal  Year  2011,  Section  934 

http://www.defense.gov/home/features/20 1  1  / 

041  l_cyberstrategy/docs/ 

NDAA%20Section%20934%20Report_For%20webpage.pdf 

DOD 

November 

15,  201  1 

14 

From  the  report:  “When  warranted,  we  will  respond  to  hostile 
attacks  in  cyberspace  as  we  would  to  any  other  threat  to  our 
country.  We  reserve  the  right  to  use  all  necessary  means  - 
diplomatic,  informational,  military  and  economic  -  to  defend  our 
nation,  our  allies,  our  partners  and  our  interests.” 

W32.Duqu:  The  Precursor  to  the  Next  Stuxnet 

http://www.symantec.com/connect/ 

w32_duqu_precursor_next_stuxnet 

Symantec 

October  24, 
201  1 

N/A 

On  October  14,  201  1,  a  research  lab  with  strong  international 
connections  alerted  Symantec  to  a  sample  that  appeared  to  be 
very  similar  to  Stuxnet,  the  malware  which  wreaked  havoc  in 

Iran’s  nuclear  centrifuge  farms  last  summer.  The  lab  named  the 
threat  “Duqu”  because  it  creates  files  with  the  file  name  prefix 
“~DQ”.  The  research  lab  provided  Symantec  with  samples 
recovered  from  computer  systems  located  in  Europe,  as  well  as  a 
detailed  report  with  their  initial  findings,  including  analysis 
comparing  the  threat  to  Stuxnet. 

Cyber  War  Will  Not  Take  Place 

http://www.tandfonline.com/doi/abs/ 1 0. 1 080/ 

01402390.201  1.608939 

Journal  of 

Strategic  Studies 

October  5, 

201  1 

29 

The  paper  argues  that  cyber  warfare  has  never  taken  place,  is  not 
currently  taking  place,  and  is  unlikely  to  take  place  in  the  future. 

Twenty  Critical  Security  Controls  for  Effective  Cyber 
Defense:  Consensus  Audit  Guidelines  (CAG) 

SANS 

October  3, 

201  1 

77 

The  20  measures  are  intended  to  focus  agencies’  limited  resources 
on  plugging  the  most  common  attack  vectors. 

http://www.sans.org/critical-security-controls/ 
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Revealed:  Operation  Shady  RAT:  an  Investigation  Of 
Targeted  Intrusions  Into  70+  Global  Companies, 
Governments,  and  Non-Profit  Organizations  During  the 
Last  5  Years 

http://www.mcafee.com/us/resources/white-papers/wp- 

operation-shady-rat.pdf 

McAfee 

August  2, 

201  1 

14 

A  cyber-espionage  operation  lasting  many  years  penetrated  72 
government  and  other  organizations,  most  of  them  in  the  United 
States,  and  has  copied  everything  from  military  secrets  to 
industrial  designs,  according  to  technology  security  company 

McAfee.  See  page  4  for  the  types  of  compromised  parties),  page  5 
for  the  geographic  distribution  of  victim’s  country  of  origin,  pages 

7-9  for  the  types  of  victims,  and  pages  10-13  for  the  number  of 
intrusions  for  2007-20 1 0. 

USCYBERCOM  and  Cyber  Security:  Is  a  Comprehensive 
Strategy  Possible? 

Army  War 

College 

May  12, 

20122 

32 

Examine  five  aspects  of  USCYBERCOM:  organization,  command 
and  control,  computer  network  operations  (CNO), 
synchronization,  and  resourcing.  Identify  areas  that  currently 
present  significant  risk  to  USCYBERCOM's  ability  to  create  a 
strategy  that  can  achieve  success  in  its  cyberspace  operations. 
Recommend  potential  solutions  that  can  increase  the  effectiveness 
of  the  USCYBERCOM  strategy. 

A  Four-Day  Dive  Into  Stuxnet’s  Heart 

http://www.wired.com/threatlevel/20 1 0/ 1 2/a-four-day- 
dive-into-stuxnets-heart/ 

Threat  Level 

Blog  (Wired) 

December 

27,  2010 

N/A 

From  the  article,  “It  is  a  mark  of  the  extreme  oddity  of  the 

Stuxnet  computer  worm  that  Microsoft’s  Windows  vulnerability 
team  learned  of  it  first  from  an  obscure  Belarusian  security 
company  that  even  they  had  never  heard  of.” 

Did  Stuxnet  Take  Out  1,000  Centrifuges  at  the  Natanz 
Enrichment  Plant?  Preliminary  Assessment 

http://isis-online.org/isis-reports/detail/did-stuxnet-take- 
out- 1  OOO-centrifuges-at-the-natanz-enrichment-plant/ 

Institute  for 
Science  and 

International 

Security 

December 

22,  2010 

10 

This  report  indicates  that  commands  in  the  Stuxnet  code  intended 
to  increase  the  frequency  of  devices  targeted  by  the  malware 
exactly  match  several  frequencies  at  which  rotors  in  centrifuges  at 
Iran’s  Natanz  enrichment  plant  are  designed  to  operate  optimally 
or  are  at  risk  of  breaking  down  and  flying  apart. 

The  Role  of  Internet  Service  Providers  in  Botnet 

Mitigation:  an  Empirical  Analysis  Bases  on  Spam  Data 

httpV/citeseerx.ist.psu.edu/viewdoc/download/doR 

1 0. 1 . 1 . 1 65.22 1  1  &rep=rep  1  &type=pdf 

Organisation  for 
Economic  Co¬ 
operation  and 
Development 
(OECD) 

November 

12,  2010 

68 

This  working  paper  considers  whether  ISPs  can  be  critical  control 
points  for  botnet  mitigation,  how  the  number  of  infected  machines 
varies  across  ISPs,  and  why. 

Stuxnet  Analysis 

http://www.enisa.europa.eu/media/press-releases/stuxnet- 

analysis 

European 
Network  and 

Information 
Security  Agency 

October  7, 
2010 

N/A 

EU  cybersecurity  agency  warns  that  the  Stuxnet  malware  is  a 
game  changer  for  critical  information  infrastructure  protection; 

PLC  controllers  of  SCADA  systems  infected  with  the  worm  might 
be  programmed  to  establish  destructive  over/under  pressure 
conditions  by  running  pumps  at  different  frequencies. 
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Proceedings  of  a  Workshop  on  Deterring  Cyberattacks:  National 

Informing  Strategies  and  Developing  Options  for  U.S.  Research 

Policy  Council 

http://www.nap.edu/catalog.php?record_id= 
l2997#description 

Untangling  Attribution:  Moving  to  Accountability  in 
Cyberspace  [Testimony] 

http  ://i. cfr.org/content/publications/attachments/ 
Knake%20-Testimony%2007 1 5  I  O.pdf 

Technology,  Policy,  Law,  and  Ethics  Regarding  U.S. 

Acquisition  and  Use  of  Cyberattack  Capabilities 

http://www.nap.edu/catalog.php?record_id=  1 265 1  & 
utm_medium=etmail&utm_source=: 
National%20Academies%20Press&utm_campaign= 

NAP+mail+eblast+ 1 0.27.09+- 

+Cyberattack+Preorder+sp&utm_content::=Downloader& 
utm_term=#description 

Note:  Highlights  compiled  by  CRS  from  the  reports. 


National 

Research 

Council 


Council  on 
Foreign  Relations 
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October  5,  400  At  the  request  of  the  Office  of  the  Director  of  National 

2010  Intelligence,  the  National  Research  Council  undertook  a  two- 

phase  project  aimed  to  foster  a  broad,  multidisciplinary 
examination  of  strategies  for  deterring  cyberattacks  on  the  United 
States  and  of  the  possible  utility  of  these  strategies  for  the  U.S. 
government. 

July  15,  2010  14  Robert  K.  Knake’s  testimony  before  the  House  Committee  on 

Science  and  Technology  on  the  role  of  attack  attribution  in 
preventing  cyber  attacks  and  how  attribution  technologies  can 
affect  the  anonymity  and  the  privacy  of  Internet  users. 

January  I,  368  Thisreportexploresimportantcharacteristicsofcyberattack.lt 

2009  describes  the  current  international  and  domestic  legal  structure  as 

it  might  apply  to  cyberattack,  and  considers  analogies  to  other 
domains  of  conflict  to  develop  relevant  insights. 


Table  27.  Selected  Reports:  International  Efforts 


Title 


Source 


Date  Pages 


Notes 


The  Tallinn  Manual  on  the  International  Law  Applicable  to  Cyber 
Warfare 

http://ccdcoe.org/249.html 


Cambridge  University 
Press/  NATO 
Cooperative  Cyber 
Defence  Center  of 
Excellence 


March  5,  2013 


Administration  Strategy  for  Mitigating  the  Theft  of  U.S.  Trade  White  House  February  20, 

Secrets  20 1 3 

http://www.whitehouse.gOv//sites/default/files/omb/IPEC/ 

admin  strategy  on  mitigating  the  theft  of  u.s.  trade  secrets. p 

df 


APT  I :  Exposing  One  of  China’s  Cyber  Espionage  Units  Mandiant  February  19, 

2013 

http://intelreport.mandiant.com/Mandiant_APTI_Report.pdf 


282  The  Tallinn  Manual  identifies  the  international 
law  applicable  to  cyber  warfare  and  sets  out 
ninety-five  ‘black-letter  rules’  governing  such 
conflicts.  An  extensive  commentary 
accompanies  each  rule,  which  sets  forth  each 
rules’  basis  in  treaty  and  customary  law, 
explains  how  the  group  of  experts 
interpreted  applicable  norms  in  the  cyber 
context,  and  outlines  any  disagreements 
within  the  group  as  to  each  rules’  application. 
(Note:  The  manual  is  not  an  official  NATO 
publication,  but  an  expression  of  opinions  of  a 
group  of  independent  experts  acting  solely  in 
their  personal  capacity.) 

141  “First,  we  will  increase  our  diplomatic 
engagement....  Second,  we  will  support 
industry-led  efforts  to  develop  best  practices 
to  protect  trade  secrets  and  encourage 
companies  to  share  with  each  other  best 
practices  that  can  mitigate  the  risk  of  trade 
secret  theft....  Third,  DOJ  will  continue  to 
make  the  investigation  and  prosecution  of 
trade  secret  theft  by  foreign  competitors  and 
foreign  governments  a  top  priority....  Fourth, 
President  Obama  recently  signed  two  pieces 
of  legislation  that  will  improve  enforcement 
against  trade  secret  theft....  Lastly,  we  will 
increase  public  awareness  of  the  threats  and 
risks  to  the  U.S.  economy  posed  by  trade 
secret  theft.” 

76  The  details  analyzed  during  hundreds  of 
investigations  signal  that  the  groups 
conducting  these  activities  (computer  security 
breaches  around  the  world)  are  based 
primarily  in  China  and  that  the  Chinese 
government  is  aware  of  them. 
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Video  demo  of  Chinese  hacker  activity 

http://intelreport.mandiant.com/ 

Mandiant 

February  19, 
2013 

N/A 

Video  of  APT  1  attacker  sessions  and  intrusion 
activities  (5-minute  video). 

An  Open,  Safe  and  Secure  Cyberspace 

http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan- 

protect-open-internet-and-online-freedom-and-opportunity- 

cyber-security 

European  Union 

February  7, 

2013 

20 

The  strategy  articulates  the  EU’s  vision  of 
cyber-security  in  terms  of  five  priorities: 
achieving  cyber  resilience;  drastically  reducing 
cybercrime;  developing  cyber  defence  policy 
and  capabilities  related  to  the  Common 

Security  and  Defence  Policy  (CSDP); 
developing  the  industrial  and  technological 
resources  for  cyber-security;  establishing  a 
coherent  international  cyberspace  policy  for 
the  European  Union  and  promoting  core  EU 
values. 

Linking  Cybersecurity  Policy  and  Performance 

http://blogs.technet.eom/b/trustworthycomputing/archive/20l  3/02/ 

06/linking-cybersecurity-policy-and-performance-microsoft- 

releases-special-edition-security-intelligence-report.aspx 

Microsoft  Trustworthy 
Computing 

February  6, 

2013 

27 

Introduces  a  new  methodology  for  examining 
how  socio-economic  factors  in  a  country  or 
region  impact  cybersecurity  performance. 
Examine  measures  such  as  use  of  modern 
technology,  mature  processes,  user  education, 
law  enforcement  and  public  policies  related  to 
cyberspace.  This  methodology  can  build  a 
model  that  will  help  predict  the  expected 
cybersecurity  performance  of  a  given  country 
or  region. 

The  Chinese  Defense  Economy  Takes  Off:  Sector-by-Sector 
Assessments  and  the  Role  of  Military  End-Users 

http://igcc.ucsd.edu/assets/00 1  /504355.pdf 

UC  Institute  on  Global 
Conflict  and  Cooperation 

January  25, 

2013 

87 

This  collection  of  1 5  policy  briefs  explores 
how  China  has  made  such  impressive  military 
technological  progress  over  the  past  few 
years,  what  is  in  store,  and  what  are  the 
international  security  implications.  The  briefs 
are  summaries  of  a  series  of  longer  research 
papers  presented  at  the  third  annual  Chinese 
defense  economy  conference  held  by  the 

Study  of  Innovation  and  Technology  in  China 
in  July  2012. 

CRS-71 
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Defence  and  Cyber-Security,  vol.  I  -  Report,  together  with  formal  House  of  Commons 
minutes,  oral  and  written  evidence  Defence  Committee 

http://www.publications.parliament.uk/pa/cm20l2l3/cmselect/  ^  ^ 

cmdfence/ 1 06/ 1 06.pdf 

Defence  and  Cyber-Security,  vol.  2  -  Additional  Written  Evidence 

http://www.publications.parliament.uk/pa/cm20 1 2 1 3/cmselect/ 
cmdfence/ 1 06/ 1 06vw.pdf 


Cybersecurity:  Managing  risks  for  greater  opportunities 

http://oecdinsights.org/20 12/11  /29/cybersecurity-managing-risks- 
for-greater-opportunities/ 


Organization  for 
Economic  Co-operation 
and  Development 


Cybersecurity  Policy  Making  at  a  Turning  Point:  Analysing  a  New  Organization  for 
Generation  of  National  Cybersecurity  Strategies  for  the  Internet  Economic  Co-operation 
Economy  and  Development 

http://www.oecd-ilibrary.org/cybersecurity-policy-making-at-a- 
turning-point_5k8zq92vdgtl.pdf?contentType=/ns/WorkingPaper& 
itemld=/content/workingpaper/5k8zq92vdgtl-en&containerltemld= 
/content/workingpaperseries/207 1 6826&accessltemlds=& 
mimeType=application/pdfhttp://www.oecd-i  library.org/ 
cybersecurity-policy-making-at-a-turning-point_5k8zq92vdgtl.pdf? 
contentType=/ns/WorkingPaper&itemld=/content/workingpaper/ 
5k8zq92vdgtl-en&containerltemld=/content/workingpaperseries/ 

2071 6826&accessltemlds=&mimeType=application/pdf 

20 1 2  Report  to  Congress  of  the  U.S.-China  Economic  and  U.S. -China  Economic  and 

Security  Review  Commission,  One  Hundred  Twelfth  Congress,  Security  Review 
Second  Session,  November  2012  Commission 

https://www.hsdl.org/?view&did=725530 


CRS-7 2 


Date 


Pages 


Notes 


December  18, 

2012 


November  29, 

2012 


November  1 6, 

2012 


51  (vol. 

1) 

37  (vol. 

2) 


Given  the  inevitable  inadequacy  of  the 
measures  available  to  protect  against  a 
constantly  changing  and  evolving  threat,  and 
given  the  Minister  for  the  Cabinet  Office’s 
comment,  it  is  not  enough  for  the  Armed 
Forces  to  do  their  best  to  prevent  an  effective 
attack.  In  its  response  to  this  report  the 
Government  should  set  out  details  of  the 
contingency  plans  it  has  in  place  should  such 
an  attack  occur.  If  it  has  none,  it  should  say 
so — and  urgently  create  some. 


N/A  The  OECD  launched  a  broad  consultation  of 
all  stakeholders  from  member  and  non¬ 
member  countries  to  review  its  Security 
Guidelines.  The  review  will  take  into  account 
newly  emerging  risks,  technologies  and  policy 
trends  around  such  areas  as  cloud  computing, 
digital  mobility,  the  Internet  of  things,  social 
networking,  etc. 


57  This  report  analyses  the  latest  generation  of 
national  cybersecurity  strategies  in  ten  OECD 
countries  and  identifies  commonalities  and 
differences. 


November  20 1 2  509  This  report  responds  to  the  mandate  for  the 

Commission  ‘to  monitor,  investigate,  and 
report  to  Congress  on  the  national  security 
implications  of  the  bilateral  trade  and 
economic  relationship  between  the  United 
States  and  the  People’s  Republic  of  China.  See 
“China's  Cyber  Activities,"  Chapter  2,  Section 
2,  pp  147-169. 


Title 


Source 


Australia:  Telecommunications  data  retention — an  overview 

http://parlinfo.aph.gov.au/parllnfo/download/library/prspub/ 

1 998792/upload_binary/ 1 998792.pdf 


Parliamentary  Library  of 
Australia 


More  Than  Meets  the  Eye:  Clandestine  Funding,  Cutting-Edge  Lawrence  Livermore 

Technology  and  China’s  Cyber  Research  &  Development  Program  National  Laboratory 

http://www.osti.gOv/bridge/servlets/purl/l  055833/ 


Investigative  Report  on  the  U.S.  National  Security  Issues  Posed  by 
Chinese  Telecommunications  Companies  Huawei  and  ZTE 

http://intelligence.house.gov/press-release/investigative-report-us- 

national-security-issues-posed-chinese-telecommunications 


House  Permanent  Select 
Committee  on 
Intelligence 


Manual  on  International  Law  Applicable  to  Cyber  Warfare  (“The 
Tallinn  Manual”) 

http://www.ccdcoe.org/249.html 


NATO  Cooperative 
Cyber  Defence  Centre  of 
Excellence,  Tallinn, 

Estonia 


CRS-73 
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Pages 

October  24,  32  In  July  20 1 2,  the  Commonwealth  Attorney- 

20 1 2  General’s  Department  released  a  Discussion 

Paper,  Equipping  Australia  against  emerging 
and  evolving  threats,  on  the  proposed 
national  security  reforms....  Of  the  18  primary 
proposals  and  the  41  individual  reforms  that 
they  comprise,  the  suggestion  that  carriage 
service  providers  (CSPs)  be  required  to 
routinely  retain  certain  information  associated 
with  every  Australian’s  use  of  the  Internet  and 
phone  services  for  a  period  of  up  to  two 
years  (‘data  retention’)  is  the  issue  that  seems 
to  have  attracted  the  most  attention. 

October  23,  1 7  Analyzes  how  the  Chinese  leadership  views 

2012  information  technology  research  and 

development  (R&D),  as  well  as  the  role  cyber 
R&D  plays  in  China’s  various  strategic 
development  plans.  Explores  the 
organizational  structure  of  China's  cyber  R&D 
base.  Concludes  with  a  projection  of  how 
China  might  field  new  cyber  capabilities  for 
intelligence  platforms,  advanced  weapons 
systems,  and  systems  designed  to  support 
asymmetric  warfare  operations. 

October  8,  60  The  committee  initiated  this  investigation  in 

20 1 2  November  201  I  to  inquire  into  the 

counterintelligence  and  security  threat  posed 
by  Chinese  telecommunications  companies 
doing  business  in  the  United  States. 

August  20 1 2  N/A  The  Tallinn  Manual  is  a  nonbinding  yet 

authoritative  restatement  of  the  law  of  armed 
conflict  as  it  relates  to  cyberwar.  It  offers 
attackers,  defenders,  and  legal  experts 
guidance  on  how  cyberattacks  can  be 
classified  as  actions  covered  under  the  law, 
such  as  armed  attacks. 


Title 


Source 


Bilateral  Discussions  on  Cooperation  in  Cybersecurity 
http://www.cicir.ac.cn/chinese/newsView.aspx?nid=3878 


China  Institute  of 

Contemporary 

International 

Relations  and  the  Center 


for  Strategic  and 
International  Studies 


(CSIS) 


Five  Years  after  Estonia's  Cyber  Attacks:  Lessons  Learned  for  NATO 

NATO? 

http  ://www.ndc.nato.int/download/downloads.php?icode= 334 


Cyber-security:  The  Vexed  Question  of  Global  Rules:  An  McAfee 

Independent  Report  on  Cyber-Preparedness  Around  the  World 

http://www.mcafee.com/us/resources/reports/rp-sda-cyber- 

security.pdf?cid=WBB048 


Cyber  Power  Index 

http://www.cyberhub.com/CyberPowerlndex 


Booz  Allen  Hamilton  and 
the  Economist 
Intelligence  Unit 


CRS-74 


Date  Pages  Notes 

June  20 1 2  N/A  (Scroll  down  for  English).  Since  2009,  CSIS 

and  CICIR  have  held  six  formal  meetings  on 
cybersecurity  (accompanied  by  several 
informal  discussions),  called  "Sino-U.S. 
Cybersecurity  Dialogue.”  The  meetings  have 
been  attended  by  a  broad  range  of  U.S.  and 
Chinese  officials  and  scholars  responsible  for 
cybersecurity  issues.  The  goals  of  the 
discussions  have  been  to  reduce 
misperceptions  and  to  increase  transparency 
of  both  countries’  authorities  and 
understanding  on  how  each  country 
approaches  cybersecurity,  and  to  identify 
areas  of  potential  cooperation. 

May  2012  8  In  April  2007  a  series  of  cyber  attacks 

targeted  Estonian  information  systems  and 
telecommunication  networks.  Lasting  22  days, 
the  attacks  were  directed  at  a  range  of 
servers  (web,  e-mail,  DNS)  and  routers.  The 
2007  attacks  did  not  damage  much  of  the 
Estonian  information  technology 
infrastructure.  However,  the  attacks  were  a 
true  wake-up  call  for  NATO,  offering  a 
practical  demonstration  that  cyber  attacks 
could  now  cripple  an  entire  nation  dependent 
on  IT  networks. 

February  1 ,  20 1 2  108  Forty-five  percent  of  legislators  and 

cybersecurity  experts  representing  27 
countries  think  cybersecurity  is  just  as 
important  as  border  security.  The  authors 
surveyed  80  professionals  from  business, 
academia  and  government  to  gauge 
worldwide  opinions  of  cybersecurity. 

January  15,  N/A  The  index  of  developing  countries’ ability  to 

2012  withstand  cyber  attacks  and  build  strong 

digital  economies,  rates  the  countries  on  their 
legal  and  regulatory  frameworks;  economic 
and  social  issues;  technology  infrastructure; 
and  industry.  The  index  puts  the  United 
States  in  the  No.  2  spot,  and  the  UK  in  No.  I . 
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Foreign  Spies  Stealing  US  Economic  Secrets  in  Cyberspace 

http://www.ncix.gov/publications/reports/fecie_all/ 
Foreign_Economic_Collection_20 1  1  .pdf 

Office  of  the  National 

Counterintelligence 

Executive 

November  3, 

2011 

31 

According  to  the  report,  espionage  and  theft 
through  cyberspace  are  growing  threats  to 
the  United  States’  security  and  economic 
prosperity,  and  the  world’s  most  persistent 
perpetrators  happen  to  also  be  U.S.  allies. 

The  UK  Cyber  Security  Strategy:  Protecting  and  promoting  the 

UK  in  a  digital  world 

http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk- 

cyber-security-strategy-final.pdf 

Cabinet  Office  (United 
Kingdom) 

November  20 1  1 

43 

Chapter  1  describes  the  background  to  the 
growth  of  the  networked  world  and  the 
immense  social  and  economic  benefits  it  is 
unlocking.  Chapter  2  describes  these  threats. 
The  impacts  are  already  being  felt  and  will 
grow  as  our  reliance  on  cyberspace  grows. 
Chapter  3  sets  out  where  we  want  to  end 
up — with  the  government's  vision  for  UK 
cyber  security  in  2015. 

Cyber  Dawn:  Libya 

http://www.unveillance.com/wp-content/uploads/20 1  1  / 05/ 
Project_Cyber_Dawn_Public.pdf 

Cyber  Security  Forum 
Initiative 

May  9,  201  1 

70 

Project  Cyber  Dawn:  Libya  uses  open  source 
material  to  provide  an  in-depth  view  of  Libyan 
cyberwarfare  capabilities  and  defenses. 

China’s  Cyber  Power  and  America’s  National  Security 

http://www.dtic.mil/dtic/tr/fulltext/u2/a552990.pdf 

U.S.  Army  War  College, 
Strategy  Research  Project 

March  24,  201  1 

86 

This  report  examines  the  growth  of  Chinese 
cyber  power;  their  known  and  demonstrated 
capabilities  for  offensive,  defensive  and 
exploitive  computer  network  operations; 

China’s  national  security  objectives;  and  the 
possible  application  of  Chinese  cyber  power 
in  support  of  those  objectives. 

Worldwide  Threat  Assessment  of  the  U.S.  Intelligence 

Community  (Testimony) 

http://www.dni.gov/testimonies/20 1  1 02 1 0_testimony_clapper.pdf 

James  Clapper,  Director 
of  National  Intelligence 

February  10, 

2011 

34 

Provides  an  assessment  of  global  threats: 
convergence,  malware,  the  “Chinese" 
connection,  foreign  military  capabilities  in 
cyberspace,  counterfeit  computer  hardware 
and  intellectual  property  theft,  and  identity 
theft/finding  vulnerable  government 
operatives. 
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Source 

Date 

Pages 

Notes 

Working  Towards  Rules  for  Governing  Cyber  Conflict:  Rendering 
the  Geneva  and  Hague  Conventions  in  Cyberspace 

http://vialardi.org/nastrazzuro/pdf/US-Russia.pdf 

EastWest  Institute 

February  3, 

201  1 

60 

[The  authors]  led  the  cyber  and  traditional 
security  experts  through  a  point-by-point 
analysis  of  the  Geneva  and  Hague 

Conventions.  Ultimately,  the  group  made  five 
immediate  recommendations  for  Russian  and 
U.S.-led  joint  assessments,  each  exploring 
how  to  apply  a  key  convention  principle  to 
cyberspace. 

The  Reliability  of  Global  Undersea  Communications  Cable 
Infrastructure  (The  Rogucci  Report) 

http://www.ieee-rogucci.org/files/ 

The%20ROGUCCI%20Report.pdf 

lEEE/EastWest  Institute 

May  26,  2010 

186 

This  study  submits  12  major 
recommendations  to  the  private  sector, 
governments  and  other  stakeholders — 
especially  the  financial  sector — for  the 
purpose  of  improving  the  reliability, 
robustness,  resilience,  and  security  of  the 
world’s  undersea  communications  cable 
infrastructure. 

ITU  Toolkit  for  Cybercrime  Legislation 

http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-toolkit- 

cybercrime-legislation.pdf 

International 

Telecommunications 

Union 

February  20 1 0 

N/A 

This  document  aims  to  provide  countries  with 
sample  legislative  language  and  reference 
material  that  can  assist  in  the  establishment  of 
harmonized  cybercrime  laws  and  procedural 
rules. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  28.  Selected  Reports:  Education/Training/Workforce 


Title 

Source 

Date 

Pages 

Notes 

April  16,  2013 

NCCoE  Celebrates  National  Cybersecurity  Excellence 
Partnerships 

http://csrc.nist.gov/nccoe/The-Center/News/News.html 

NIST  National 
Cybersecurity 

Center  of 

Excellence 

April  15,  2013 

N/A 

Eleven  private  organizations  agreed  to  partner  with  the 
National  Institute  of  Standards  and  Technology  to  share 
cybersecurity  staff  and  best  practices  to  help  better 
combat  cyber  threats. 

2012  Information  Technology  Workforce  Assessment  for 
Cybersecurity 

https://cio.gov/wp- 

content/uploads/downloads/20 1 3/04/ITWAC-Summary- 
Report_04-0l-20l3.pdf 

U.S.  Department  of 
Homeland  Security 

April  3,  2013 

131 

The  report,  which  is  based  on  an  anonymous  survey  of 
nearly  23,000  cyber  workers  across  52  departments  and 
agencies,  also  found  that  while  the  majority  (49%)  of 
cyber  feds  have  more  than  10  years  of  service  until  they 
reach  retirement  eligibility,  nearly  33%  will  be  eligible  to 
retire  in  the  next  three  years. 

National  Initiative  for  Cybersecurity  Careers  and  Studies 
(NICCS) 

http://niccs.us-cert.gov/ 

U.S.  Department  of 
Homeland  Security 

February  21,  2013 

N/A 

NICCS  is  an  online  resource  for  cybersecurity  career, 
education,  and  training  information.  It  is  a  partnership 
between  DHS,  the  National  Institute  of  Standards  and 
Technology,  the  Office  of  the  Director  of  National 
Intelligence,  the  Department  of  Defense,  the  Department 
of  Education,  the  National  Science  Foundation,  and  the 
Office  of  Personnel  Management. 

Michigan  Cyber  Range 

http://www.merit.edu/cyberrange/ 

Partnership 
between  the  state 
of  Michigan,  Merit 
Network,  federal 
and  local 
governments, 
colleges  and 
universities,  and 
the  private  sector 

November  12,  2012 

N/A 

Enables  individuals  and  organizations  to  develop 
detection  and  reaction  skills  through  simulations  and 
exercises. 

CyberSkills  Task  Force  Report 

https://www.hsdl.org/hslog/?q=node/7934 

U.S.  Department  of 
Homeland  Security 

October  1,  2012 

41 

DHS’s  Task  Force  on  CyberSkills  proposes  far-reaching 
improvements  to  enable  DHS  to  recruit  and  retain  the 
cybersecurity  talent  it  needs. 
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Cyber  Security  Test  Bed:  Summary  and  Evaluation  Results 

http://sites.duke.edu/ihss/files/20 1  1  / 1 2/Cyber-Security- 
Test-Bed_Final-Report_Rowe.pdf 

Institute  for 
Homeland  Security 
Solutions 

October  20 1 2 

89 

The  Cyber  Test  Bed  project  was  a  case  study  analysis  of 
how  a  set  of  interventions,  including  threat  analysis,  best 
practices  sharing,  and  executive  and  staff  training  events, 
over  the  course  of  one  year,  would  impact  a  group  of 
nine  small  and  mid-size  businesses  in  North  Carolina. 

Pre-  and  post-Test  Bed  interviews  were  conducted  with 
company  officials  to  establish  a  baseline  and  evaluate  the 
impact  of  the  Test  Bed  experience.  After  the  Cyber  Test 
Bed  experience,  decision  makers  at  these  companies 
indicated  an  increase  in  their  perceptions  of  the  risk  of 
cyber  attacks  and  an  increase  in  their  knowledge  of 
possible  solution. 

Information  Assurance  Scholarship  Program 

http  ://www.doncio.  navy.  mil/ContentView.aspx?id=535 

U.S  Navy 

August  28,  2012 

N/A 

The  Information  Assurance  Scholarship  Program  is 
designed  to  increase  the  number  of  qualified  personnel 
entering  the  information  assurance  and  information 
technology  fields  within  the  department,  Defense  officials 
said  last  week.  The  scholarships  also  are  an  attempt  to 
effectively  retain  military  and  civilian  cybersecurity  and  IT 
personnel. 

Smart  Grid  Cybersecurity:  Job  Performance  Model  Report 

http://www.pnl.gov/main/publications/external/ 
technical_reports/PNNL-2l  639.pdf 

Pacific  Northwest 
National 

Laboratory 

August  1,  2012 

178 

This  report  outlines  the  work  done  to  develop  a  smart 
grid  cybersecurity  certification.  The  primary  purpose  is  to 
develop  a  measurement  model  that  may  be  used  to  guide 
curriculum,  assessments,  and  other  development  of 
technical  and  operational  smart  grid  cybersecurity 
knowledge,  skills,  and  abilities. 

National  Centers  of  Academic  Excellence  (CAE)  in  Cyber 
Operations  Program 

http://www.nsa.gov/academia/nat_cae_cyber_ops/ 

index.shtml 

National  Security 
Agency  (NS A) 

May  29,  2012 

N/A 

The  NSA  has  launched  National  Centers  of  Academic 
Excellence  (CAE)  in  Cyber  Operations  Program;  the 
program  is  intended  to  be  a  deeply  technical,  inter¬ 
disciplinary,  higher  education  program  grounded  in  the 
computer  science  (CS),  computer  engineering  (CE),  or 
electrical  engineering  (EE)  disciplines,  with  extensive 
opportunities  for  hands-on  applications  via  labs  and 
exercises. 
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Cybersecurity  Human  Capital:  Initiatives  Need  Better 
Planning  and  Coordination 

http://www.gao.gov/products/GAO- 1 2-8 


General 
Accountability 
Office  (GAO) 


NICE  Cybersecurity  Workforce  Framework 

http://www.nist.gov/manuscript-publication-search.cfm? 

pub_id=909505 


National  Initiative 
for  Cybersecurity 
Education  (NICE) 


201  I  State  of  Cyberethics,  Cybersafety  and  Cybersecurity 
Curriculum  in  the  U.S.  Survey 

http://www.staysafeonline.org/sites/default/files/ 
resource_documents/20 1  I  %20National%20K- 
l2%20Study%20Final_0.pdf 


National  Cyber 
Security  Alliance 
and  Microsoft 
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November  29,  201  I  86  To  ensure  that  government-wide  cybersecurity 

workforce  initiatives  are  better  coordinated  and  planned, 
and  to  better  assist  federal  agencies  in  defining  roles, 
responsibilities,  skills,  and  competencies  for  their 
workforce,  the  Secretary  of  Commerce,  Director  of  the 
Office  of  Management  and  Budget,  Director  of  the  Office 
of  Personnel  Management,  and  Secretary  of  Homeland 
Security  should  collaborate  through  the  NICE  initiative  to 
develop  and  finalize  detailed  plans  allowing  agency 
accountability,  measurement  of  progress,  and 
determination  of  resources  to  accomplish  agreed-upon 
activities. 

November  21,  201  I  35  The  adoption  of  cloud  computing  into  the  federal 

government  and  its  implementation  depend  upon  a 
variety  of  technical  and  non-technical  factors.  A 
fundamental  reference  point,  based  on  the  NIST 
definition  of  cloud  computing,  is  needed  to  describe  an 
overall  framework  that  can  be  used  government-wide. 
This  document  presents  the  NIST  Cloud  Computing 
Reference  Architecture  (RA)  and  Taxonomy  (Tax)  that 
will  accurately  communicate  the  components  and 
offerings  of  cloud  computing. 

May  13,  201  I  16  This  year’s  survey  further  explores  the  perceptions  and 

practices  of  U.S.  teachers,  school  administrators  and 
technology  coordinators  in  regards  to  cyberethics, 
cybersafety,  and  cybersecurity  education.  This  year's 
survey  finds  that  young  people  still  are  not  receiving 
adequate  training  and  that  teachers  are  ill-prepared  to 
teach  the  subjects  due,  in  large  part,  to  lack  of 
professional  development. 


Title 


Source 


Cyber  Operations  Personnel  Report  (DOD) 

http://www.nsci-va.org/CyberReferenceLib/20 1  I  -04- 
Cyber%200ps%20Personnel.pdf 


Department  of 
Defense 


Design  of  the  DETER  Security  Testbed 
http://www.isi.edu/deter/news/news.php?story=20 


University  of 
Southern  California 
(USC)  Information 
Sciences  Institute, 
University  of 
California  Berkeley 
(UCB),  McAfee 
Research 


The  Power  of  People:  Building  an  Integrated  National 
Security  Professional  System  for  the  21st  Century 

http://www.pnsr.org/data/images/ 
p  n  s  r_th  e_po  we  r_of_p  eo  p  I  e_repo  rt.  p  df 


Project  on  National 
Security  Reform 
(PNSR) 


Note:  Highlights  compiled  by  CRS  from  the  reports. 
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April  201  I  84  This  report  is  focused  on  FY09  Department  of  Defense 

Cyber  Operations  personnel,  with  duties  and 
responsibilities  as  defined  in  Section  934  of  the  Fiscal 
Year  (FY)  2010  National  Defense  Authorization  Act 
(NDAA). 

Appendix  A — Cyber  Operations-related  Military 
Occupations 

Appendix  B — Commercial  Certifications  Supporting  the 
DoD  Information  Assurance  Workforce  Improvement 
Program 

Appendix  C — Military  Services  Training  and 
Development 

Appendix  D — Geographic  Location  of  National  Centers 
of  Academic  Excellence  in  Information  Assurance 

January  13,  201  I  N/A  The  Department  of  Homeland  Security  (DHS)  will  invest 

$  1 6  million  over  the  next  five  years  to  expand  a 
cybersecurity  testbed  at  the  University  of  Southern 
California  (USC).  The  Deterlab  testbed  provides  an 
isolated  400-node  mini-Internet,  in  which  researchers  can 
investigate  malware  and  other  security  threats  without 
danger  of  infecting  the  real  Internet.  It  also  supports 
classroom  exercises  in  computer  security  for  nearly  400 
students  at  10  universities  and  colleges. 

November  20 10  326  This  study  was  conducted  in  fulfillment  of  Section  1 054  of 

the  National  Defense  Authorization  Act  for  Fiscal  Year  2010, 
which  required  the  commissioning  of  a  study  by  “an 
appropriate  independent,  nonprofit  organization,  of  a 
system  for  career  development  and  management  of 
interagency  national  security  professionals.” 


Table  29.  Selected  Reports:  Research  &  Development  (R&D) 


Title 

Source 

Date 

Pages 

Notes 

The  International  Cyber-Security  Ecosystem  (video 
lecture) 

http://smartech.gatech.edu/handle/ 1 853/45450 

Anthony  M. 
Rutkowski, 
Distinguished 
Senior  Research 
Fellow  at  the 
Georgia 

Institute  of 
Technology, 

Nunn  School 
Center  for 
International 
Strategy 
Technology  and 
Policy  (CISTP) 

November  6,  2012 

N/A 

Overview  of  the  various  forums/communities  and 
methodologies  that  comprise  the  security  assurance 
ecosystem — often  also  referred  to  as  the  Information 
Assurance. 

20  Critical  Security  Controls  for  Effective  Cyber  Defense: 
Consensus  Audit  Guidelines  -  version  4.0 

http://www.sans.org/critical-security-controls/ 

Center  for 
Strategic  & 
International 

Studies 

November  20 1 2 

89 

The  Top  20  security  controls  were  agreed  upon  by  a 
consortium.  Members  of  the  Consortium  include  NSA, 

US  CERT,  DoD  JTF-GNO,  the  Department  of  Energy 
Nuclear  Laboratories,  Department  of  State,  DoD  Cyber 
Crime  Center  plus  commercial  forensics  experts  in  the 
banking  and  critical  infrastructure  communities. 

National  Cybersecurity  Center  of  Excellence 

http://csrc.nist.gov/nccoe/ 

National 

Institute  of 
Standards  and 
Technology 
(NIST) 

June  29,  2012 

N/A 

The  National  Cybersecurity  Center  of  Excellence 
(NCCoE)  is  a  new  public-private  collaboration  to  bring 
together  experts  from  industry,  government  and 
academia  to  design,  implement,  test,  and  demonstrate 
integrated  cybersecurity  solutions  and  promote  their 
widespread  adoption. 

Information  Security  Risk  Taking 

http://www.nsf.gov/awardsearch/showAward.do? 
AwardNumber=  1  127185 

National 

Science 

Foundation 

(NSF) 

January  17,  2012 

N/A 

The  NSF  is  funding  research  on  giving  organizations 
information-security  risk  ratings,  similar  to  credit  ratings 
for  individuals. 

Anomaly  Detection  at  Multiple  Scales  (ADAMS) 

http://info.publicintelligence.net/DARPA-ADAMS.pdf 

Defense 

Advanced 

Research 

Projects  Agency 
(DARPA) 

November  9,  20 1  1 

74 

The  design  document  was  produced  by  Allure  Security 
and  sponsored  by  the  Defense  Advanced  Research 

Projects  Agency  (DARPA).  It  describes  a  system  for 
preventing  leaks  by  seeding  believable  disinformation  in 
military  information  systems  to  help  identify  individuals 
attempting  to  access  and  disseminate  classified 
information. 
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At  the  Forefront  of  Cyber  Security  Research 

http://www.livescience.com/ 1 5423-forefront-cyber- 
security-research-nsf-bts.html 

NSF 

August  1  1 ,  20 1  1 

N/A 

TRUST  is  a  university  and  industry  consortium  that 
examines  cyber  security  issues  related  to  health  care, 
national  infrastructures,  law  and  other  issues  facing  the 
general  public. 

Designing  A  Digital  Future:  Federally  Funded  Research  And 
Development  In  Networking  And  Information  Technology 

http://www.whitehouse.gov/sites/default/files/microsites/ 
ostp/pcast-nitrd-report-20 1 0.pdf 

White  House 

December  16,  2010 

148 

The  President’s  Council  of  Advisors  on  Science  and 
Technology  (PCAST)  has  made  several  recommendations 
in  a  report  about  the  state  of  the  government’s 

Networking  and  Information  Technology  Research  and 
Development  (NITRD)  Program. 

Partnership  for  Cybersecurity  Innovation 

http://www.whitehouse.gov/blog/20 1 0/ 1 2/06/partnership- 
cybersecurity-innovation 

White  House 
Office  of 

Science  and 
Technology 

Policy 

December  6,  20 1 0 

10 

The  Obama  Administration  released  a  Memorandum  of 
Understanding  signed  by  the  National  Institute  of 

Standards  and  Technology  (NIST)  of  the  Department  of 
Commerce,  the  Science  and  Technology  Directorate  of 
the  Department  of  Homeland  Security  (DHS/S&T),  and 
the  Financial  Services  Sector  Coordinating  Council 
(FSSCC).  The  goal  of  the  agreement  is  to  speed  the 
commercialization  of  cybersecurity  research  innovations 
that  support  our  nation’s  critical  infrastructures. 

Science  of  Cyber-Security 

http://www.fas.org/irp/agency/dod/jason/cyber.pdf 

Mitre  Corp 
(JASON 

Program  Office) 

November  2010 

86 

JASON  was  requested  by  DOD  to  examine  the  theory 
and  practice  of  cyber-security,  and  evaluate  whether 
there  are  underlying  fundamental  principles  that  would 
make  it  possible  to  adopt  a  more  scientific  approach, 
identify  what  is  needed  in  creating  a  science  of  cyber¬ 
security,  and  recommend  specific  ways  in  which  scientific 
methods  can  be  applied. 

American  Security  Challenge 

http://www.americansecuritychallenge.com/ 

National 

Security 

Initiative 

October  18,  2010 

N/A 

The  objective  of  the  Challenge  is  to  increase  the  visibility 
of  innovative  technology  and  help  the  commercialization 
process  so  that  such  technology  can  reach  either  the 
public  or  commercial  marketplace  faster  to  protect  our 
citizens  and  critical  assets. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Related  Resources:  Other  Websites 


This  section  contains  other  cybersecurity  resources,  including  U.S.  government,  international,  news  sources,  and  other  associations  and 
institutions. 


Table  30.  Related  Resources:  Congressional/Government 


Name 

Source 

Notes 

Computer  Security  Resource  Center 

http://csrc.nist.gov/ 

National  Institute  of  Standards  and 
Technology  (NIST) 

Links  to  NIST  resources,  publications,  and  computer  security 
groups. 

Congressional  Cybersecurity  Caucus 

http://cybercaucus.langevin.house.gov/ 

Led  by  Representatives  Jim  Langevin 
and  Mike  McCaul. 

Provides  statistics,  news  on  congressional  cyberspace  actions, 
and  links  to  other  informational  websites. 

Cybersecurity  and  Trustworthiness  Projects  and  Reports 

http://sites.nationalacademies.org/CSTB/CSTB_059 1 44 

Computer  Science  and 
Telecommunications  Board,  National 
Academy  of  Sciences 

A  list  of  independent  and  informed  reports  on  cybersecurity 
and  public  policy. 

Cybersecurity 

http://www.whitehouse.gov/cybersecurity 

White  House  National  Security 

Council 

Links  to  White  House  policy  statements,  key  documents, 
videos,  and  blog  posts. 

Cybersecurity 

http://www.ntia.doc.gov/category/cybersecurity 

National  Telecommunications  & 
Information  Administration  (U.S. 
Department  of  Commerce) 

The  Department  of  Commerce's  Internet  Policy  Task  Force 
is  conducting  a  comprehensive  review  of  the  nexus  between 
cybersecurity  challenges  in  the  commercial  sector  and 
innovation  in  the  Internet  economy. 

Cybersecurity  and  Information  System  Trustworthiness 

http://sites.nationalacademies.Org/CSTB/CSTB_045327#Cybersecurity 

National  Academy  of  Sciences, 
Computer  Science  and 
Telecommunications  Board 

A  list  of  independent  and  informed  reports  on  cybersecurity 
and  public  policy. 

Office  of  Cybersecurity  and  Communications  (CS&C) 

http://www.dhs.gov/xabout/structure/gc_l  1 85202475883. shtm 

U.S.  Department  of  Homeland 

Security 

As  the  sector-specific  agency  for  the  communications  and  IT 
sectors,  CS&C  coordinates  national  level  reporting  that  is 
consistent  with  the  National  Response  Framework  (NRF). 

U.S.  Cyber  Command 

http://www.defense.gov/home/features/20 1 0/04 1 0_cybersec/ 

U.S.  Department  of  Defense 

Links  to  press  releases,  fact  sheets,  speeches, 
announcements,  and  videos. 

U.S.  Cyber-Consequences  Unit 

http://www.usccu.us/ 

U.S.  Cyber-Consequences  Unit  (US- 
CCU) 

U.S.-CCU,  a  nonprofit  50 1  c(3)  research  institute,  provides 
assessments  of  the  strategic  and  economic  consequences  of 
possible  cyber-attacks  and  cyber-assisted  physical  attacks.  It 
also  investigates  the  likelihood  of  such  attacks  and  examines 
the  cost-effectiveness  of  possible  counter-measures. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  3  I .  Related  Resources:  International  Organizations 


Name 

Source 

Notes 

Australian  Internet  Security  Initiative 

http://www.acma.gov.au/WEB/STANDARD/pc=PC_3  10317 

Australian  Communications  and  Media 
Authority 

The  Australian  Internet  Security  Initiative  (AISI)  is  an  antibotnet 
initiative  that  collects  data  on  botnets  in  collaboration  with  Internet 
Service  Providers  (ISPs),  and  two  industry  codes  of  practice. 

Cybercrime 

http://www.coe.int/t/DGHL/cooperation/economiccrime/ 

cybercrime/default_en.asp 

Council  of  Europe 

Links  to  the  Convention  on  Cybercrime  treaty,  standards,  news, 
and  related  information. 

Cybersecurity  Gateway 

http://groups.itu.int/Default.aspx?alias=groups.itu.int/ 

cybersecurity-gateway 

International  Telecommunications 

Union  (ITU) 

ITU's  Global  Cybersecurity  Agenda  (GCA)  is  the  framework  for 
international  cooperation  with  the  objective  of  building  synergies 
and  engaging  all  relevant  stakeholders  in  our  collective  efforts  to 
build  a  more  secure  and  safer  information  society  for  all. 

Cybercrime  Legislation  -  Country  Profiles 

http://www.coe.int/tAdg  1  /legalcooperation/economiccrime/ 
cybercrime/Documents/CountryProfiles/default_en.asp 

Council  of  Europe 

These  profiles  have  been  prepared  within  the  framework  of  the 
Council  of  Europe’s  Project  on  Cybercrime  in  view  of  sharing 
information  on  cybercrime  legislation  and  assessing  the  current 
state  of  implementation  of  the  Convention  on  Cybercrime  under 
national  legislation. 

ENISA:  Securing  Europe’s  Information  Society 

http://www.enisa.europa.eu/ 

European  Network  and  Information 
Security  Agency  (ENISA) 

ENISA  inform  businesses  and  citizens  in  the  European  Union  on 
cybersecurity  threats,  vulnerabilities,  and  attacks.  (Requires  free 
registration  to  access.) 

German  Anti-Botnet  Initiative 

http://www.oecd.org/dataoecd/42/50/45509383.pdf 

Organisation  for  Economic  Co¬ 
operation  and  Development  (OECD) 
(English-language  summary) 

This  is  a  private  industry  initiative  which  aims  to  ensure  that 
customers  whose  personal  computers  have  become  part  of  a 
botnet  without  them  being  aware  of  it  are  informed  by  their 

Internet  Service  Providers  about  this  situation  and  at  the  same  time 
are  given  competent  support  in  removing  the  malware. 

International  Cyber  Security  Protection  Alliance  (ICSPA) 

https://www.icspa.org/about-us/ 

International  Cyber  Security 

Protection  Alliance  (ICSPA) 

A  global  not-for-profit  organization  that  aims  to  channel  funding, 
expertise,  and  help  directly  to  law  enforcement  cyber  crime  units 
around  the  world. 

NATO  Cooperative  Cyber  Defence  Centre  of  Excellence 
(CCD  COE) 

http://www.ccdcoe.org/ 

North  Atlantic  Treaty  Organization 
(NATO) 

The  Center  is  an  international  effort  that  currently  includes  Estonia, 
Latvia,  Lithuania,  Germany,  Hungary,  Italy,  the  Slovak  Republic,  and 
Spain  as  sponsoring  nations,  to  enhance  NATO’s  cyber  defence 
capability. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  32.  Related  Resources:  News 

Name  Source 

Computer  Security  (Cybersecurity)  New  York  Times 

http://topics.nytimes.eom/top/reference/timestopics/subjects/c/ 
computer_security/index.htm  I 

Cybersecurity  NextGov.com 

http  ://www.nextgov.com/cybers  ecu  rity/?oref=ng-nav 

Cyberwarfare  and  Cybersecurity  Benton  Foundation 

http://benton.org/taxonomy/term/ 1  1 93 

Homeland  Security  Congressional  Quarterly  (CQ) 

http://homeland.cq.com/hs/news.do 

Cybersecurity  Homeland  Security  News  Wire 

http://www.homelandsecuritynewswire.com/topics/cybersecurity 
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Table  33.  Related  Resources:  Other  Associations  and  Institutions 

Name 

Notes 

Cyber  Aces  Foundation 

http://www.cyberaces.org/ 

Offers  challenging  and  realistic  cybersecurity  competitions, 
training  camps,  and  educational  initiatives  through  which 
high  school,  college  students,  and  young  professionals 
develop  the  practical  skills  needed  to  excel  as  cybersecurity 
practitioners 

Cybersecurity  from  the  Center  for  Strategic  & 
International  Studies  (CSIS) 

http://csis.org/category/topics/technology/ 

cybersecurity 

Cyberconflict  and  Cybersecurity  Initiative  from  the 
Council  on  Foreign  Relations 

http://www.cfr.org/projects/world/cyberconflict-and- 
cybersecurity-initiative/pr  1 497 

Federal  Cyber  Service  from  the  Scholarship  For 
Service  (SFS) 

https://www.sfs.opm.gov/ 

Institute  for  Information  Infrastructure  Protection 
(I3P) 

http://www.thei3p.org/ 

Internet  Security  Alliance  (ISA) 
http://www.isalliance.org/ 

National  Association  of  State  Chief  Information 
Offices  (NASCIO) 

http://www.nascio.org/advocacy/cybersecurity 

National  Board  of  Information  Security  Examiners 
(NBISE) 

http://www.nbise.org/certifications.php 

National  Initiative  for  Cybersecurity  Education  (NICE) 
http://cs  rc.  n  ist.go  v/n  ice/ 

National  Security  Cyberspace  Institute  (NSCI) 
http://www.nsci-va.org/whitepapers.htm 

U.S.  Cyber  Challenge  (USCC) 
http://www.uscyberchallenge.org/ 


Links  to  experts,  programs,  publications,  and  multimedia. 
CSIS  is  a  bipartisan,  nonprofit  organization  whose  affiliated 
scholars  conduct  research  and  analysis  and  develop  policy 
initiatives  that  look  to  the  future  and  anticipate  change. 

Focuses  on  the  relationship  between  cyberwar  and  the 
existing  laws  of  war  and  conflict;  how  the  United  States 
should  engage  other  states  and  international  actors  in 
pursuit  of  its  interests  in  cyberspace;  how  the  promotion  of 
the  free  flow  of  information  interacts  with  the  pursuit  of 
cybersecurity;  and  the  private  sector’s  role  in  defense, 
deterrence,  and  resilience. 

Scholarship  For  Service  (SFS)  is  designed  to  increase  and 
strengthen  the  cadre  of  federal  information  assurance 
professionals  that  protect  the  government’s  critical 
information  infrastructure.  This  program  provides 
scholarships  that  fully  fund  the  typical  costs  that  students 
pay  for  books,  tuition,  and  room  and  board  while  attending 
an  approved  institution  of  higher  learning. 

I3P  is  a  consortium  of  leading  universities,  national 
laboratories  and  nonprofit  institutions  dedicated  to 
strengthening  the  cyber  infrastructure  of  the  United  States. 

ISAalliance  is  a  nonprofit  collaboration  between  the 
Electronic  Industries  Alliance  (EIA),  a  federation  of  trade 
associations,  and  Carnegie  Mellon  University’s  CyLab. 

NASCIO’s  cybersecurity  awareness  website.  The  Resource 
Guide  provides  examples  of  state  awareness  programs  and 
initiatives. 

The  National  Board  of  Information  Security  Examiners 
(NBISE)  mission  is  to  increase  the  security  of  information 
networks,  computing  systems,  and  industrial  and  military 
technology  by  improving  the  potential  and  performance  of 
the  cyber  security  workforce. 

NICE  Attempts  to  forge  a  common  set  of  definitions  for  the 
cybersecurity  workforce. 

NSCI  provides  education,  research  and  analysis  services  to 
government,  industry,  and  academic  clients  aiming  to 
increase  cyberspace  awareness,  interest,  knowledge,  and/or 
capabilities. 

USCC's  goal  is  to  find  10,000  of  America's  best  and 
brightest  to  fill  the  ranks  of  cybersecurity  professionals 
where  their  skills  can  be  of  the  greatest  value  to  the  nation. 


Source:  Highlights  compiled  by  CRS  from  the  reports  of  related  associations  and  institutions. 
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Author  Contact  Information 


Rita  Tehan 

Information  Research  Specialist 
rtehan@crs.loc.gov,  7-6739 


Key  Policy  Staff 

The  following  table  provides  names  and  contact  information  for  CRS  experts  on  policy  issues  related  to 
cybersecurity  bills  currently  being  debated  in  the  1 12th  Congress. 


Legislative  Issues 

Name/Title 

Phone 

E-mail 

Legislation  in  the  1  1 2th  Congress 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Critical  infrastructure  protection 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Chemical  industry 

Dana  Shea 

7-6844 

dshea@crs.loc.gov 

Defense  industrial  base 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Electricity  grid 

Richard  J.  Campbell 

7-7905 

rcampbell@crs.loc.gov 

Financial  institutions 

N.  Eric  Weiss 

7-6209 

eweiss@crs.loc.gov 

Industrial  control  systems 

Dana  Shea 

7-6844 

dshea@crs.loc.gov 

Cybercrime 

Federal  laws 

Charles  Doyle 

7-6968 

cdoyle@crs.loc.gov 

Law  enforcement 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Cybersecurity  workforce 

Wendy  Ginsberg 

7-3933 

wginsberg@crs.loc.gov, 

Cyberterrorism 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Cyberwar 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Data  breach  notification 

Gina  Stevens 

7-258 1 

gstevens@crs.loc.gov 

Economic  issues 

N.  Eric  Weiss 

7-6209 

eweiss@crs.loc.gov 

Espionage 

Advanced  persistent  threat 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Economic  and  industrial 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Legal  issues 

Brian  T.  Yeh 

7-5182 

byeh@crs.loc.gov 

State-sponsored 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Federal  agency  roles 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Chief  Information  Officers  (CIOs) 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Commerce 

John  F.  Sargent,  Jr. 

7-9147 

jsargent@crs.loc.gov 

Defense  (DOD) 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 
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Legislative  Issues 

Name/Title 

Phone 

E-mail 

Executive  Office  of  the  President  (EOP) 

John  D.  Moteff 

7-1435 

j  m  oteff@  crs.loc.gov 

Homeland  Security  (DHS) 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Intelligence  Community  (1C) 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Justice  (DOJ) 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

National  Security  Agency  (NSA) 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Science  agencies  (NIST,  NSF,  OSTP) 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Treasury  and  financial  agencies 

Rena  S.  Miller 

7-0826 

rsmiller@crs.loc.gov 

Federal  Information  Security 
Management  Act  (FISMA) 

John  D.  Moteff 

7-1435 

j  m  oteff  @  crs.loc.gov 

Federal  Internet  monitoring 

Richard  M.  Thompson  II 

7-8449 

rthompson@crs.loc.gov 

Hacktivism 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Information  sharing 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Antitrust  laws 

Kathleen  Ann  Ruane 

7-9135 

kruane@crs.loc.gov 

Civil  liability 

Edward  C.  Liu 

7-9166 

eliu@crs.loc.gov 

Classified  information 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Freedom  of  Information  Act  (FOIA) 

Gina  Stevens 

7-2581 

gstevens@crs.loc.gov 

Privacy  and  civil  liberties 

Gina  Stevens 

7-2581 

gstevens@crs.loc.gov 

International  cooperation 

Defense  and  diplomatic 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Law  enforcement 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

National  strategy  and  policy 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

National  security 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Public/private  partnerships 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Supply  chain 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Technological  issues 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Botnets 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Cloud  computing 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Mobile  devices 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Research  and  development  (R&D) 

Patricia  Maloney  Figliola 

7-2508 

pf  igl  io  la@  c  rs .  loc.gov 
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